Documente Academic
Documente Profesional
Documente Cultură
Categorization: Moderate-Low-Low
Incorporates Classified, Closed Restricted Network/Local Area Network and Standalone Overlays
Version 5
Date 24 February 2020
System/Document Change Records
INSTRUCTIONS (DELETE IN FINAL DOCUMENT. The system changes provided within this table must be incorporated into the
security plan during the system’s re-authorization or when the system change is significant to completely invalidate the current
security plan.
SSP Revision Description of Changed Page(s) Date Entered BY
Number change
V1 Initial Document 25 Jan 16
Revised 09 May 16 TLB
ii
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
X_____________________________________________
DAO-REPRESENTATIVE
Enter Name
X_____________________________________________
iii
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
X_____________________________________________
ISSM
Enter Name
X_____________________________________________
ISSO
Enter Name
X_____________________________________________
iv
Table of Contents
1
Background ............................................................................................................................................................................. 1
2 Applicability ............................................................................................................................................................................. 1
3 References .............................................................................................................................................................................. 1
4 Reciprocity .............................................................................................................................................................................. 1
5 System Identification .............................................................................................................................................................. 1
System Overview ........................................................................................................................................................... 1
Security Categorization ................................................................................................................................................. 1
5.2.1 Summary Results and Rationale .......................................................................................................................... 1
5.2.2 Categorization Detailed Results ........................................................................................................................... 1
Information Impact Categorization ..................................................................................................................................... 1
5.2.2.1 System Security Impact Categorization........................................................................................................... 1
5.2.2.2 Risk Adjusted System Impact Categorization .................................................................................................. 2
5.2.3 Control Selection ................................................................................................................................................. 2
6 Key Roles and Responsibilities ................................................................................................................................................ 2
Risk Management .......................................................................................................................................................... 2
IA Support Personnel ..................................................................................................................................................... 3
7 System Environment ............................................................................................................................................................... 4
Physical Environment .................................................................................................................................................... 4
Facility/System Layout ................................................................................................................................................... 4
Personnel Authorizations .............................................................................................................................................. 4
System Classification Level(s) & Compartment(s) ......................................................................................................... 4
Unique Data Handling Requirements ............................................................................................................................ 5
Information Access Policies ........................................................................................................................................... 5
8 General System Description/Purpose ..................................................................................................................................... 5
System Description ........................................................................................................................................................ 5
System Architecture ...................................................................................................................................................... 5
Functional Architecture ................................................................................................................................................. 5
User Roles and Access Privileges ................................................................................................................................... 5
9 Interconnections ..................................................................................................................................................................... 5
Direct Network Connections ......................................................................................................................................... 5
Indirect Connections/Information Sharing .................................................................................................................... 6
Memoranda of Understanding (MOU), Memoranda of Agreement (MOA), Co-Utilization Agreements (CUA) and
Interconnection Security Agreements (ISA) ................................................................................................................................. 6
10 Baseline Security Controls ....................................................................................................................................................... 2
Summary Listing of Required Controls for a Moderate – Low – Low (M-L-L) Baseline.................................................. 2
Access Control (AC) ....................................................................................................................................................... 2
10.2.1 AC-1 – Access Control Policy and Procedures Requirements .............................................................................. 2
10.2.2 AC-2 – Account Management (+ Privacy Overlay) ............................................................................................... 2
10.2.2.1 AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay) ......... 3
10.2.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay) ...... 4
10.2.2.3 AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay) .................................... 4
10.2.2.4 AC-2(4) – Account Management: Automated Audit Actions ......................................................................... 5
10.2.2.5 AC-2(5) – Account Management: Inactivity Logout ....................................................................................... 5
10.2.2.6 AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay)............................................. 5
10.2.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts (+ Privacy Overlay) –
NEW BASELINE..................................................................................................................................................................... 6
10.2.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE ......... 6
10.2.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE .............................. 7
10.2.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals (+ Privacy Overlay) – NEW
BASELINE 7
10.2.3 AC-3 – Access Enforcement (+ Privacy Overlay) .................................................................................................. 7
10.2.3.1 AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE ......................... 8
v
10.2.3.2 AC-3 (3) – Access Enforcement: Mandatory Access Control ............................ Error! Bookmark not defined.
10.2.3.3 AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay) . 8
10.2.3.4 AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated
into MP-4 and SC-28 ............................................................................................................................................................ 9
10.2.4 AC-4 – Information Flow Enforcement ................................................................................................................ 9
10.2.4.1 AC-4 (1) – Information Flow Enforcement: Object Security Attributes ............ Error! Bookmark not defined.
10.2.4.2 AC-4 (9) – Information Flow Enforcement: Human Reviews ............................ Error! Bookmark not defined.
10.2.5 AC-5 – Separation of Duties (+ Classified Overlay)............................................................................................... 9
10.2.6 AC-6 – Least Privilege (+ Classified & Privacy Overlay) ...................................................................................... 10
10.2.6.1 AC-6(1) – Least Privilege: Authorize Access to Security Functions ............................................................... 11
10.2.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions .............................................. 11
10.2.6.3 AC-6(5) – Least Privilege: Privileged Accounts ............................................................................................. 12
10.2.6.4 AC-6(7) – Least Privilege: Review of User Privileges (+ Classified & Privacy Overlay) (- Standalone Overlay)
– NEW BASELINE ................................................................................................................................................................ 12
10.2.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE ......................................... 12
10.2.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE ....................................... 13
10.2.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW
BASELINE 13
10.2.7 AC-7 – Unsuccessful Login Attempts ................................................................................................................. 14
10.2.7.1 AC-7 (2) – Unsuccessful Logon Attempts: Purge-Wipe Mobile Device (+ Classified & Intelligence Overlay)
Error! Bookmark not defined.
10.2.8 AC-8 – System Use Notification ......................................................................................................................... 14
10.2.9 AC-9 – Previous Logon (Access) Notification (+ Classified) – NEW......................... Error! Bookmark not defined.
10.2.10 AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINE ................................................. 15
10.2.11 AC-11 – Session Lock (+ Classified) .................................................................................................................... 15
10.2.11.1 AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay) ...................................................... 16
10.2.12 AC-12 – Session Termination – NEW BASELINE ................................................................................................. 16
10.2.12.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE .................... 17
10.2.13 AC-14 – Permitted Actions without Identification or Authentication ................................................................ 17
10.2.13.1 AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN
Incorporated into AC-14 .................................................................................................................................................... 18
10.2.14 AC-16 – Security Attributes (+ Classified & Privacy Overlay) – NEW BASELINE ................................................. 18
10.2.14.1 AC-16(3) – Security Attributes: Maintenance of Attribute Associations by Information System (+ Privacy
Overlay) - NEW ...................................................................................................................... Error! Bookmark not defined.
10.2.14.2 AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW .......... 19
10.2.14.3 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay)
– NEW 19
10.2.14.4 AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone
Overlay) – NEW ................................................................................................................................................................. 19
10.2.15 AC-17 – Remote Access (- Standalone & CRN Overlay)...................................................................................... 20
10.2.15.1 AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay) ....................... 20
10.2.15.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN
Overlay) 21
10.2.15.3 AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay) ........................ 21
10.2.15.4 AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay) .......................... 21
10.2.15.5 AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay) ................................ 22
10.2.15.6 AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated
Into AC-3(10) ..................................................................................................................................................................... 22
10.2.15.7 AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7 22
10.2.15.8 AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE .............. 22
10.2.16 AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay) ............................................................. 23
10.2.16.1 AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay) ...................................... 23
10.2.16.2 AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4 24
10.2.16.3 AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay) ... 24
10.2.16.4 AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)
24
10.2.17 AC-19 – Access Control for Mobile Devices (+ Classified) .................................................................................. 25
vi
10.2.17.1 AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN
Incorporated Into MP-7 ..................................................................................................................................................... 25
10.2.17.2 AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices
WITHDRAWN Incorporated Into MP-7 .............................................................................................................................. 25
10.2.17.3 AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner
WITHDRAWN Incorporated Into MP-7 .............................................................................................................................. 25
10.2.17.4 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay)
– NEW BASELINE ................................................................................................................................................................ 25
10.2.18 AC-20 – Use of External Information Systems (+ Classified) .............................................................................. 26
10.2.18.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified & Privacy Overlay)
(- Standalone & CRN Overlay) ............................................................................................................................................ 26
10.2.18.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay) (- CRN
Overlay) 27
10.2.18.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-
Devices (+ Classified) – NEW BASELINE ............................................................................................................................. 28
10.2.18.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay)
(- Standalone Overlay) – NEW ........................................................................................................................................... 28
10.2.19 AC-21 – Information Sharing () .......................................................................................................................... 28
10.2.19.1 AC-21 (1) – Information Sharing: Automated Decision Support ...................... Error! Bookmark not defined.
10.2.20 AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay) .................................................................. 29
10.2.21 AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE................................... 30
Awareness and Training (AT) ....................................................................................................................................... 32
10.3.1 AT-1 – Security Awareness & Training Policy and Procedures ........................................................................... 32
10.3.2 AT-2 – Security Awareness (+ Classified) ........................................................................................................... 32
10.3.2.1 AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE ................................ 33
10.3.3 AT-3 – Role-Based Security Training .................................................................................................................. 33
10.3.3.1 AT-3(2) – Security Training: Physical Security Controls ................................................................................ 34
10.3.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE
34
10.3.4 AT-4 – Security Training Records ....................................................................................................................... 34
10.3.5 AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5 ...................... 35
Audit and Accountability (AU) ..................................................................................................................................... 36
10.4.1 AU-1 – Audit and Accountability Policy and Procedures.................................................................................... 36
10.4.2 AU-2 – Auditable Events .................................................................................................................................... 36
10.4.2.1 AU-2(3) – Auditable Events: Reviews and Updates ...................................................................................... 37
10.4.2.2 AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9) .............................. 38
10.4.3 AU-3 – Content of Audit Records (+ Privacy Overlay) ........................................................................................ 38
10.4.3.1 AU-3(1) – Content of Audit Records: Additional Audit Information ............................................................. 39
10.4.4 AU-4 – Audit Storage Capacity (+ Privacy Overlay) (- Standalone Overlay) ....................................................... 39
10.4.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE .............. 40
10.4.5 AU-5 – Response to Audit Processing Failures (- Standalone Overlay) .............................................................. 40
10.4.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay) ............. 41
10.4.6 AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay) ................................................................. 41
10.4.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay) .................... 42
10.4.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories (+ Privacy Overlay) (-
Standalone Overlay) .......................................................................................................................................................... 42
10.4.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW
BASELINE 42
10.4.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified
Overlay) – NEW ................................................................................................................................................................. 43
10.4.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified
Overlay) – NEW ................................................................................................................................................................. 43
10.4.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources
(+ Classified Overlay) – NEW ............................................................................................................................................. 43
10.4.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE .................... 44
10.4.7 AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay) ............................ 44
10.4.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay) ............ 45
10.4.8 AU-8 – Time Stamps........................................................................................................................................... 45
vii
10.4.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay) ........ 46
10.4.9 AU-9 – Protection of Audit Information (+ Privacy Overlay) .............................................................................. 46
10.4.9.1 AU-9(2) – Protection of Audit Information: Audit Backup on Separate Physical Systems/Components Error!
Bookmark not defined.
10.4.9.2 AU-9(3) – Protection of Audit Information: Cryptographic Protection (+ Privacy Overlay) - NEW .........Error!
Bookmark not defined.
10.4.9.3 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay) .. 46
10.4.10 AU-10 – Non-Repudiation - NEW ........................................................................... Error! Bookmark not defined.
10.4.10.1 AU-10(1) – Non-Repudiation: Association of Identities ................................... Error! Bookmark not defined.
10.4.10.2 AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into
SI-7 47
10.4.11 AU-11 – Audit Record Retention ........................................................................................................................ 47
10.4.11.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE ............................... 47
10.4.12 AU-12 – Audit Generation (+ Classified Overlay) ............................................................................................... 48
10.4.12.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE .......................... 48
10.4.12.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE................................... 49
10.4.13 AU-13 – Monitoring for Information Disclosure .................................................... Error! Bookmark not defined.
10.4.14 AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE ......................................................................... 49
10.4.14.1 AU-14(1) – Session Audit: System Start-Up – NEW BASELINE ...................................................................... 49
10.4.14.2 AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE ........................................... 50
10.4.14.3 AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE...................................................... 50
10.4.15 AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW ................................................................ 50
10.4.15.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW ................... 51
10.4.15.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW ...... 51
Security Assessment and Authorization (CA) .............................................................................................................. 52
10.5.1 CA-1 – Security Assessment and Authorization Policies & Procedures .............................................................. 52
10.5.2 CA-2 – Security Assessments ............................................................................................................................. 52
10.5.2.1 CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay) ........................................ 53
10.5.3 CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay) .................................... 53
10.5.3.1 CA-3(1) – Information System Connections: Unclassified National Security System Connections (-
Standalone & CRN Overlay) ............................................................................................................................................... 54
10.5.3.2 CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified
Overlay) (- Standalone & CRN Overlay) ............................................................................................................................. 55
10.5.3.3 CA-3(3) – Information System Connections: Unclassified Non-National Security System Connections (+
Privacy Overlay) – NEW ......................................................................................................... Error! Bookmark not defined.
10.5.3.4 CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW
BASELINE 55
10.5.4 CA-5 – Plan of Action & Milestones ................................................................................................................... 55
10.5.5 CA-6 – Security Authorization ............................................................................................................................ 56
10.5.6 CA-7 – Continuous Monitoring .......................................................................................................................... 57
10.5.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay) ................................. 58
10.5.7 CA-9 – Internal System Connections – NEW BASELINE ...................................................................................... 58
Configuration Management (CM) ............................................................................................................................... 59
10.6.1 CM-1 – Configuration Management Policy and Procedures .............................................................................. 59
10.6.2 CM-2 – Baseline Configuration .......................................................................................................................... 59
10.6.2.1 CM-2(1) – Baseline Configuration: Reviews & Updates ............................................................................... 60
10.6.2.2 CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7 ............... 61
10.6.3 CM-3 – Configuration Change Control ............................................................................................................... 61
10.6.3.1 CM-3(4) – Configuration Change Control: Security Representative .............................................................. 61
10.6.3.2 CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW
BASELINE 62
10.6.4 CM-4 – Security Impact Analysis) ....................................................................................................................... 62
10.6.5 CM-5 – Access Restrictions for Change .............................................................................................................. 63
10.6.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (-
Standalone Overlay) .......................................................................................................................................................... 63
10.6.5.2 CM-5(6) – Access Restrictions for Change: Limit Library Privileges .............................................................. 64
10.6.6 CM-6 – Configuration Settings ........................................................................................................................... 64
10.6.6.1 CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7. 65
viii
10.6.6.2 CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4 ... 65
10.6.7 CM-7 – Least Functionality ................................................................................................................................ 65
10.6.7.1 CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay) ...................................................... 66
10.6.7.2 CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay) .................................... 66
10.6.7.3 CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay)......................................... 66
10.6.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINE................................... 67
10.6.8 CM-8 – Information System Component Inventory ........................................................................................... 67
10.6.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) –
NEW BASELINE................................................................................................................................................................... 68
10.6.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (-
Standalone Overlay) – NEW BASELINE .............................................................................................................................. 68
10.6.9 CM-9 – Configuration Management Plan .......................................................................................................... 69
10.6.10 CM-10 – Software Usage Restrictions – NEW BASELINE .................................................................................... 69
10.6.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE .................................... 70
10.6.11 CM-11 – User Installed Software – NEW BASELINE ........................................................................................... 70
10.6.11.1 CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE ............ 71
Contingency Planning (CP)........................................................................................................................................... 72
10.7.1 CP-1 – Contingency Planning Policy and Procedures ......................................................................................... 72
10.7.2 CP-2 – Contingency Plan – Maybe tailorout based on contract requirements. ................................................. 72
10.7.3 CP-3 – Contingency Training .............................................................................................................................. 74
10.7.4 CP-4 – Contingency Plan Testing and Exercises ................................................................................................. 74
10.7.5 CP-6 - Alternate Storage Site (BASELINE) ............................................................... Error! Bookmark not defined.
10.7.6 CP-7 – Alternate Processing Site (- Standalone Overlay) ................................................................................... 75
10.7.6.1 CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN
Incorporated Into CP-7 ...................................................................................................................................................... 76
10.7.7 CP-9 – Information System Backup .................................................................................................................... 76
10.7.7.1 CP-9(1) – Information System Backup: Testing for Reliability/Integrity - BASELINE ...... Error! Bookmark not
defined.
10.7.8 CP-10 – Information System Recovery and Reconstitution ............................................................................... 77
Identification and Authentication (IA) ......................................................................................................................... 78
10.8.1 IA – 1 – Identification and Authentication Policy and Procedures ..................................................................... 78
10.8.2 IA-2 – Identification and Authentication (Organizational Users) (+ Classified) .................................................. 78
10.8.2.1 IA-2(1) – Identification and Authentication (Organizational Users): Network Access to Privileged Accounts
(+ Classified Overlay) (- Standalone Overlay) ........................................................................ Error! Bookmark not defined.
10.8.2.2 IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified
Overlay) (- Standalone Overlay) ........................................................................................................................................ 79
10.8.2.3 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay) .. 80
10.8.2.4 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone
Overlay) 80
10.8.2.5 IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay) ........................ 80
10.8.2.6 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (-
Standalone Overlay) .......................................................................................................................................................... 81
10.8.2.7 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged
Accounts – Replay Resistant (- Standalone Overlay) ......................................................................................................... 81
10.8.2.8 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (-
Standalone Overlay) – NEW BASELINE .............................................................................................................................. 82
10.8.2.9 IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (-
Standalone Overlay) – NEW BASELINE .............................................................................................................................. 82
10.8.3 IA-3 – Device Identification and Authentication (- Standalone Overlay) ........................................................... 83
10.8.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (-
Standalone Overlay) .......................................................................................................................................................... 83
10.8.3.2 IA-4 – Identifier Management ....................................................................................................................... 84
10.8.3.3 IIA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay) .......................................... 84
10.8.4 IA-5 – Authenticator Management .................................................................................................................... 85
10.8.4.1 IA-5(1) – Authenticator Management: Password-Based Authentication ..................................................... 86
10.8.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay) .......................... 87
10.8.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination ........... 87
10.8.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators ......................... 88
ix
10.8.4.5 IA-5(8) – Authenticator Management: Multiple Information System Accounts .......................................... 88
10.8.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE ............ 88
10.8.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW
BASELINE 89
10.8.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) –
NEW BASELINE................................................................................................................................................................... 89
10.8.5 IA-6 – Authenticator Feedback .......................................................................................................................... 90
10.8.6 IA-7 – Cryptographic Module Authentication .................................................................................................... 90
10.8.7 IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay) .......................... 90
10.8.7.1 IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials
from Other Agencies (- Standalone Overlay) – NEW BASELINE ......................................................................................... 91
10.8.7.2 IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party
Credentials (- Standalone Overlay) – NEW BASELINE ........................................................................................................ 91
10.8.7.3 IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products
(- Standalone Overlay) – NEW BASELINE ........................................................................................................................... 92
10.8.7.4 IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (-
Standalone Overlay) – NEW BASELINE .............................................................................................................................. 92
Incident Response (IR) ................................................................................................................................................. 93
10.9.1 IR-1 – Incident Response Policy and Procedures ............................................................................................... 93
10.9.2 IR-2 – Incident Response Training ...................................................................................................................... 93
10.9.3 IR-3 – Incident Response Testing ....................................................................................................................... 94
10.9.3.1 IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE ..... 94
10.9.4 IR-4 – Incident Handling ..................................................................................................................................... 95
10.9.4.1 IR-4(1) – Incident Handling: Automated Incident Handling Processes ......................................................... 95
10.9.4.2 IR-4(3) – Incident Handling: Continuity of Operations ................................................................................. 96
10.9.4.3 IR-4(4) – Incident Handling: Information Correlation .................................................................................. 96
10.9.4.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE ................................. 96
10.9.4.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE .............. 97
10.9.4.6 IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE ............................... 97
10.9.5 IR-5 – Incident Monitoring ................................................................................................................................. 98
10.9.6 IR-6 – Incident Reporting ................................................................................................................................... 98
10.9.6.1 IR-6(1) – Incident Reporting: Automated Reporting .................................................................................... 99
10.9.6.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents ................................................................ 99
10.9.7 IR-7 – Incident Response Assistance ................................................................................................................ 100
10.9.7.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information ................... 100
10.9.7.2 IR-7(2) – Incident Response Assistance: Coordination with External Providers ......................................... 100
10.9.8 IR-8 – Incident Response Plan .......................................................................................................................... 101
10.9.9 IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINE ................................................ 101
10.9.9.1 IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE 102
10.9.9.2 IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE ....................... 102
10.9.9.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW
BASELINE 103
10.9.10 IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE ......................................... 103
Maintenance (MA) .................................................................................................................................................... 104
10.10.1 MA-1 – System Maintenance Policy and Procedures ...................................................................................... 104
10.10.2 MA-2 – Controlled Maintenance ..................................................................................................................... 104
10.10.3 MA-3 – Maintenance Tools .............................................................................................................................. 105
10.10.3.1 MA-3(1) – Maintenance Tools: Inspect Tools............................................................................................. 105
10.10.3.2 MA-3(2) – Maintenance Tools: Inspect Media ........................................................................................... 105
10.10.3.3 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay) ............................. 106
10.10.4 MA-4 – Non-Local Maintenance (- Standalone Overlay) ................................................................................. 106
10.10.4.1 MA-4(1) – Non-Local Maintenance: Auditing and Review ......................................................................... 107
10.10.4.2 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay) ................ 107
10.10.4.3 MA-4(6) – Non-Local Maintenance: Cryptographic Protection (+ Privacy Overlay) (- Standalone Overlay)
108
10.10.4.4 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay) ................... 108
10.10.5 MA-5 – Maintenance Personnel ...................................................................................................................... 109
10.10.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay) ......... 109
x
10.10.5.2 MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems ....................................... 110
10.10.5.3 MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems .............................. 110
10.10.5.4 MA-5(4) – Maintenance Personnel: Foreign Nationals .............................................................................. 111
Media Protection (MP) .............................................................................................................................................. 112
10.11.1 MP-1 – Media Protection Policy and Procedures ............................................................................................ 112
10.11.2 MP-2 – Media Access (+ Classified) .................................................................................................................. 112
10.11.2.1 MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28 .................... 112
10.11.3 MP-3 – Media Marking (+ Classified) ............................................................................................................... 112
10.11.4 MP-4 – Media Storage (+ Classified) ................................................................................................................ 113
10.11.5 MP-5 – Media Transport (+ Classified) ............................................................................................................. 114
10.11.5.1 MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW ....................................................... 114
10.11.5.2 MP-5(4) – Media Transport: Cryptographic Protection (+ Classified) ........................................................ 115
10.11.6 MP-6 – Media Sanitization (+ Classified) .......................................................................................................... 115
10.11.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified) ........................... 115
10.11.6.2 MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay) .................................................. 116
10.11.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay) .................................. 116
10.11.6.4 MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
117
10.11.6.5 MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6 .................. 117
10.11.6.6 MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6 ....................... 117
10.11.7 MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE ............................................................................. 117
10.11.7.1 MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE....................................................... 117
10.11.8 MP-8 – Media Downgrading (+ Classified Overlay) – NEW .............................................................................. 118
10.11.8.1 MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW ........................ 118
10.11.8.2 MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW .................................... 119
10.11.8.3 MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW ............................... 119
Physical and Environment Protection (PE) ................................................................................................................ 120
10.12.1 PE-1 – Physical and Environmental Protection Policy and Procedures ............................................................ 120
10.12.2 PE-2 – Physical Access Authorizations ............................................................................................................. 120
10.12.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW ....... 120
10.12.3 PE-3 – Physical Access Control ......................................................................................................................... 121
10.12.3.1 PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE ...................................... 121
10.12.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay) ........... 122
10.12.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay) ........... 122
10.12.4 PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay) ...................... 123
10.12.5 PE-5 – Access Control for Output Devices ....................................................................................................... 123
10.12.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW ...... 123
10.12.6 PE-6 – Monitoring Physical Access ................................................................................................................... 124
10.12.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE ......... 124
10.12.7 PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor
Identification – WITHDRAWN Incorporated into PE-2 and PE-3 .......................................................................................... 125
10.12.8 PE-8 – Access Records ...................................................................................................................................... 125
10.12.9 PE-12 – Emergency Lighting ............................................................................................................................. 125
10.12.10 PE-13 – Fire Protection .................................................................................................................................... 125
10.12.11 PE-14 – Temperature and Humidity Controls .................................................................................................. 126
10.12.12 PE-15 – Water Damage Protection .................................................................................................................. 126
10.12.13 PE-16 – Delivery and Removal ......................................................................................................................... 127
10.12.14 PE-17 – Alternate Work Site ............................................................................................................................ 127
10.12.15 PE-19 – Information Leakage (+ Classified Overlay) ......................................................................................... 128
10.12.15.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified
Overlay) 128
Planning (PL) .............................................................................................................................................................. 129
10.13.1 PL-1 – Security Planning Policy and Procedures .............................................................................................. 129
10.13.2 PL-2 – System Security Plan ............................................................................................................................. 129
10.13.2.1 PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE ......................... 130
10.13.3 PL-4 – Rules of Behavior .................................................................................................................................. 131
10.13.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE ........................ 131
10.13.4 PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2................................. 132
xi
10.13.5 PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2 .......................................... 132
10.13.6 PL-8 – Information Security Architecture– NEW BASELINE ............................................................................. 132
10.13.6.1 PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE ..................................... 133
10.13.6.2 PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE .................................... 133
Personnel Security (PS) .............................................................................................................................................. 134
10.14.1 PS-1 – Personnel Security Policy and Procedures ............................................................................................ 134
10.14.2 PS-2 – Position Categorization ......................................................................................................................... 134
10.14.3 PS-3 – Personnel Screening .............................................................................................................................. 134
10.14.3.1 PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay) ............................................ 134
10.14.3.2 PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW
135
10.14.4 PS-4 – Personnel Termination (+ Classified) .................................................................................................... 135
10.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE
136
10.14.5 PS-5 – Personnel Transfer ................................................................................................................................ 136
10.14.6 PS-6 – Access Agreements ............................................................................................................................... 137
10.14.6.1 PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into
PS-3 138
10.14.6.2 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay) 138
10.14.6.3 PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE . 138
10.14.7 PS-7 – Third-Party Personnel Security ............................................................................................................. 139
10.14.8 PS-8 - Personnel Sanctions ............................................................................................................................... 139
Risk Assessment (RA) ................................................................................................................................................. 141
10.15.1 RA-1 – Risk Assessment Policy and Procedures ............................................................................................... 141
10.15.2 RA-2 – Security Categorization ........................................................................................................................ 141
10.15.3 RA-3 – Risk Assessment ................................................................................................................................... 141
10.15.4 RA-5 – Vulnerability Scanning .......................................................................................................................... 142
10.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool Capability ......................................................................... 143
10.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified .................. 143
10.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable Information ..................................................................... 144
10.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged Access .................................................................................. 144
10.15.4.5 RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components –
WITHDRAWN Incorporated into CM-8 ............................................................................................................................ 144
10.15.5 RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW ................................... 144
System and Services Acquisition ............................................................................................................................... 146
10.16.1 SA-1 – System and Services Acquisition Policy and Procedures....................................................................... 146
10.16.2 SA-2 – Allocation of Resources ........................................................................................................................ 146
10.16.3 SA-3 – System Development Life Cycle ............................................................................................................ 146
10.16.4 SA-4 – Acquisition Process ............................................................................................................................... 147
10.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE .................... 147
10.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone
Overlay) – NEW BASELINE ............................................................................................................................................... 148
10.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay) .................. 148
10.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE ................................ 149
10.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE.................... 149
10.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE 149
10.16.5 SA-5 – Information System Documentation .................................................................................................... 150
10.16.5.1 SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN
Incorporated into SA-4(1) ................................................................................................................................................ 151
10.16.5.2 SA-5(2) – Information System Documentation: Security Relevant External System Interfaces –
WITHDRAWN Incorporated into SA-4(2) ......................................................................................................................... 151
10.16.6 SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7 .................................. 151
10.16.7 SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7 ........................................ 151
10.16.8 SA-8 – Software Engineering Principles ........................................................................................................... 151
10.16.9 SA-9 – External Information System Services (- Standalone and CRN Overlay) ............................................... 151
10.16.9.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone
Overlay) 152
xii
10.16.9.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services –
NEW BASELINE................................................................................................................................................................. 152
10.16.9.3 SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy
Overlay) – NEW ............................................................................................................................................................... 153
10.16.10 SA-10 – Developer Configuration Management .............................................................................................. 153
10.16.10.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification ................. 154
10.16.11 SA-11 – Developer Security Testing and Evaluation ........................................................................................ 154
10.16.12 SA-12 – Supply Chain Protection...................................................................................................................... 155
10.16.13 SA-15 – Development Process, Standards and Tools – NEW BASELINE ........................................................... 155
10.16.13.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW
BASELINE 156
10.16.14 SA-17 – Developer Security Architecture and Design– NEW ........................................................................... 156
10.16.15 SA-19 – Component Authenticity – NEW BASELINE ........................................................................................ 157
Systems and Communications Protection (SC) .......................................................................................................... 158
10.17.1 SC-1 – Systems and Communications Protection Policy and Procedures ........................................................ 158
10.17.2 SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone) .............................................................. 158
10.17.3 SC-3 – Security Function Isolation (+ Classified Overlay) – NEW ..................................................................... 158
10.17.4 SC-4 – Information in Shared Resources (-Standalone Overlay) ...................................................................... 158
10.17.5 SC-5 – Denial of Service Protection (- Standalone and CRN Overlay) .............................................................. 159
10.17.6 SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay).................... 159
10.17.7 SC-7 – Boundary Protection (- Standalone and CRN Overlay) .......................................................................... 160
10.17.7.1 SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay) ........................................ 160
10.17.7.2 SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay) 161
10.17.7.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay) .... 161
10.17.7.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN
Overlay) 162
10.17.7.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN
Overlay) 162
10.17.7.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and
CRN Overlay) – NEW BASELINE........................................................................................................................................ 163
10.17.7.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay) ..... 163
10.17.7.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN
Overlay) 163
10.17.7.9 SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay) ........................ 164
10.17.7.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (-
Standalone and CRN Overlay).......................................................................................................................................... 164
10.17.7.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone
Overlay) 165
10.17.7.12 SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats ...................................... 165
10.17.8 SC-8 – Transmission Confidentiality and Integrity (+ Classified) ...................................................................... 166
10.17.8.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+
Classified ) – NEW BASELINE ............................................................................................................................................ 166
10.17.8.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay)
(- Standalone Overlay) – NEW BASELINE ......................................................................................................................... 167
10.17.8.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+
Classified Overlay) – NEW ............................................................................................................................................... 167
10.17.8.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified
Overlay) – NEW ............................................................................................................................................................... 167
10.17.9 SC-10 – Network Disconnect (- Standalone & CRN Overlay) ............................................................................ 168
10.17.10 SC-12 – Cryptographic Key Establishment and Management .......................................................................... 168
10.17.10.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) –
NEW 169
10.17.10.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) –
NEW 169
10.17.11 SC-13 – Cryptographic Protection (+ Classified) ............................................................................................... 169
10.17.11.1 SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN
Incorporated into SC-13 .................................................................................................................................................. 170
10.17.12 SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls .................................... 170
xiii
10.17.13 SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay) ....................................................... 170
10.17.13.1 SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic
WITHDRAWN Incorporated into SC-7 .............................................................................................................................. 171
10.17.13.2 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified
Overlay) (- Standalone & CRN Overlay) – NEW ............................................................................................................... 171
10.17.14 SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay) ............................................................. 171
10.17.15 SC-18 – Mobile Code ........................................................................................................................................ 172
10.17.15.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions ........................................ 172
10.17.15.2 SC-18(2) – Mobile Code: Acquisition/Development/Use ........................................................................... 172
10.17.15.3 SC-18(3) – Mobile Code: Prevent Downloading/Execution ........................................................................ 173
10.17.15.4 SC-18(4) – Mobile Code: Prevent Automatic Execution ............................................................................. 173
10.17.16 SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay) .................................................... 174
10.17.17 SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay) ...... 174
10.17.17.1 SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN
Incorporated into SC-20 .................................................................................................................................................. 175
10.17.18 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN
Overlay) 175
10.17.19 SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay) 175
10.17.20 SC-23 – Session Authenticity (- Standalone Overlay) ....................................................................................... 176
10.17.20.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay) .............. 176
10.17.20.2 SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into
AC-12(1) 176
10.17.20.3 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay) . 176
10.17.20.4 SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE
177
10.17.21 SC-28 – Protection of Information at Rest ....................................................................................................... 177
10.17.21.1 SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified) ............................... 178
10.17.22 SC-38 – Operations Security – NEW BASELINE................................................................................................. 178
10.17.23 SC-39 – Process Isolation – NEW BASELINE ..................................................................................................... 178
10.17.24 SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEW ................................................................... 179
10.17.24.1 SC-42(3 – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW .................. 179
System and Information Integrity (SI) ....................................................................................................................... 181
10.18.1 SI-1 – System and Information Integrity Policy and Procedures ...................................................................... 181
10.18.2 SI-2 – Flaw Remediation .................................................................................................................................. 182
10.18.2.1 SI-2(1) – Flaw Remediation: Central Management – NEW BASELINE ........................................................ 182
10.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status ............................................................ 183
10.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone
Overlay) 183
10.18.2.4 SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2 183
10.18.2.5 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE ....... 183
10.18.3 SI-3 – Malicious Code Protection ..................................................................................................................... 184
10.18.3.1 SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay) ................................... 185
10.18.3.2 SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay) ...................................... 185
10.18.3.3 SI-3(3) – Malicious Code Protection: Non-Privileged Users WITHDRAWN Incorporated into AC-6(10)...Error!
Bookmark not defined.
10.18.3.4 SI-3(5) – Malicious Code Protection: Portable Storage Devices – WITHDRAWN Incorporated into MP-7
Error! Bookmark not defined.
10.18.3.5 SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE...................................... 185
10.18.4 SI-4 – Information System Monitoring ............................................................................................................. 186
10.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay)
186
10.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay)
187
10.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone
Overlay) 187
10.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay) .................... 188
10.18.4.5 SI-4(6) – Information System Monitoring: Restrict Non-Privileged Users WITHDRAWN Incorporated into
AC-6(10) Error! Bookmark not defined.
xiv
10.18.4.6 SI-4(8) – Information System Monitoring: Protection of Monitoring Information WITHDRAWN
Incorporated into SI-4............................................................................................................ Error! Bookmark not defined.
10.18.4.7 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay)
– NEW BASELINE .............................................................................................................................................................. 188
10.18.4.8 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone &
CRN Overlay) ................................................................................................................................................................... 188
10.18.4.9 SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay) ............................. 189
10.18.4.10 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay) ............ 189
10.18.4.11 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay)
190
10.18.4.12 SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay) .... 190
10.18.4.13 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW
BASELINE 190
10.18.4.14 SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINE........................................... 191
10.18.4.15 SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW ............... 191
10.18.4.16 SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW
BASELINE 192
10.18.4.17 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE
192
10.18.5 SI-5 – Security Alerts, Advisories, and Directives ............................................................................................. 192
10.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW
BASELINE 193
10.18.6 SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINE .............................................. 193
10.18.7 SI-11 – Error Handling ...................................................................................................................................... 194
10.18.8 SI-12 – Information Handling and Retention ................................................................................................... 194
Program Management (PM) – NEW BASELINE .......................................................................................................... 196
10.19.1 PM-2 – Senior Information Security Officer ..................................................................................................... 196
10.19.2 PM-3 – Information Security Resources .......................................................................................................... 197
10.19.3 PM-4 – Plan of Action and Milestones Process ................................................................................................ 197
10.19.4 PM-5 – Information System Inventory ............................................................................................................. 198
10.19.5 PM-6 – Information Security Measures of Performance ................................................................................. 198
10.19.6 PM-7 – Enterprise Architecture ....................................................................................................................... 199
10.19.7 PM-8 – Critical Infrastructure Plan................................................................................................................... 199
10.19.8 PM-9 – Risk Management Strategy.................................................................................................................. 200
10.19.9 PM-10 – Security Authorization Process .......................................................................................................... 200
10.19.10 PM-11 – Mission/Business Process Definition ................................................................................................. 201
10.19.11 PM-12 – Insider Threat Program ...................................................................................................................... 201
10.19.12 PM-13 – Information Security Workforce ........................................................................................................ 201
10.19.13 PM-14 – Testing, Training, and Monitoring ..................................................................................................... 202
10.19.14 PM-15 – Contact with Security Groups and Associations ................................................................................ 202
10.19.15 PM-16 – Threat Awareness Program ............................................................................................................... 203
xv
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
BACKGROUND
With the transition to Risk Management Framework (RMF) within NISP, all systems requiring authorization or re-authorization
after March 2017 will follow the RMF methodology for Local Area Networks, Wide Area Networks and Interconnected Systems.
2. This document is based on the DSS Assessment and Authorization Manual (DAAPM)
For the purposes of Information Systems (IS), this SSP incorporates the content of the Security Controls Traceability Matrix
(SCTM) and an IA SOP.
2 APPLICABILITY
This template is applicable to all Information Systems (IS) that store, process and/or transmit classified information.
3 REFERENCES
This document is based on the following references:
NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, Apr 13
CNSSI 1253, Security Categorization and Control Selection for National Security Systems, 12 May 14
4 RECIPROCITY
Reciprocity is defined as a “Mutual agreement among participating enterprises to accept each other’s security assessments in
order to reuse information system resources and/or to accept each other’s assessed security posture in order to share
information.” [CNSSI 4009]
This agreement, however, does not imply blind acceptance. The body of evidence used for assessments of the subject system
will be provided to the other participant(s) who have a vested interest in establishing a mutual agreement. The receiving party
will review the assessment evidence (e.g., system security plan (SSP), test plans, test procedures, test reports, exceptions) and
determine if there are any deltas in the evidence, (e.g., baseline/overlay controls that were tailored, a test item that was
omitted), and identify items that may require negotiations.
Reciprocity means that the system(s) will not be retested or undergo another full assessment. In the spirit of reciprocity, the
existing assessments will be accepted; only controls, test items or other pertinent items that were initially omitted are subject
to evaluation/testing to assure the system meets any additional protections required for a successful reciprocal agreement.
1
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
5 SYSTEM IDENTIFICATION
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): All of the pre-printed text instructions, e.g., sentences that start with insert,
summarize or click here to insert text are content boxes. Click on the words to open the box and enter the text. SYSTEM
OVERVIEW
System Name Click here to enter text.
Unique Identifier Insert the organization defined unique identifier assigned to the system (e.g. CASTS
registration number). (If no number is assigned, leave blank.
Type of Information System Standalone
(Check One) Multi-User Standalone
Closed Restricted Network (Local Area Network)
Wide Area Network
Interconnected System – Contractor-to-Contractor
Interconnected System – Contractor-to-Government
Other:
Type of Plan: SSP
MSSP (Type Authorization)
The system is in the life-cycle phase noted in the table below.
System Status (Check One)
SECURITY CATEGORIZATION
5.2.1 Summary Results and Rationale
Summarize information in the sections below; e.g., System X is categorized as a Moderate-Low-Low system processing xxx
information types. A risk analysis indicated that no risk adjustment tailoring was required.
1
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
DAA PM Reference:
Final System Impact Categorization
Confidentiality Impact Integrity Impact Availability Impact Authority
Choose an item. Choose an item. Choose an item. e.g., ISO, SCG
RISK MANAGEMENT
Delegated Authorizing Official (DAO)
Name: Click here to enter text.
Organization: Click here to enter text.
Address: Click here to enter text.
Phone: Click here to enter text.
Email: Click here to enter text.
Information Owner/Steward
Name: Click here to enter text.
2
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
IA SUPPORT PERSONNEL
Instruction (DELETE IN FINAL DOCUMENT): The site maintains copies of the IA Appointment Letters for all IA Personnel on file
available for review. Additional IA personnel, such as the Information Assurance Support Officer (IASO) may be added.
3
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
7 SYSTEM ENVIRONMENT
PHYSICAL ENVIRONMENT
NIST 800-53/DAA PM Reference: PE-3
Is the secure facility accredited or approved to process and Yes
store information at the level covered by this SSP? No
Who accredited or approved the facility? Organization: Name:
Indicate if the facility is a Closed, or Restricted Area. Closed Date of Approval Click here to enter text.
Restricted Date of Approval Click here to enter
text.
Both Date of Approval Click here to enter text.
State the classification level approved for the facility, as well Secret NATO Others
as any caveats applied to the information. Top Secret RD COMSEC
FACILITY/SYSTEM LAYOUT
Insert diagram or include as an attachment.
PERSONNEL AUTHORIZATIONS
NIST 800-53, Rev. 4/DAA PM Reference: AC-2
4
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Instruction (DELETE IN FINAL DOCUMENT): Insert or reference organizational or system-specific user access policies relevant to
information types maintained on the information system. If appropriate, policies may be included in or placed in an appendix
to the SSP. Access controls will be enforced or adjudicated through technical means to protect the information types (e.g.
DAC/MAC).
Insert any additional organizational or system-specific user access policies.
SYSTEM ARCHITECTURE
Instruction (DELETE IN FINAL DOCUMENT): Describe the system architecture. As needed, show the architecture within the
authorization boundary (e.g. servers, workstations, printers, etc.) in diagram form and place it in Appendix A. Either reference
the location of the hardware and software lists or insert in Appendices B and C.
Describe System Architecture.
FUNCTIONAL ARCHITECTURE
Instruction (DELETE IN FINAL DOCUMENT): Describe or provide a diagram of the functional architecture of the system, e.g. Data
Flow.
Describe functional architecture; e.g., data flow. Insert diagram if appropriate.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
Click here to enter text. Click here to enter text. Click here to enter text.
9 INTERCONNECTIONS
DIRECT NETWORK CONNECTIONS
**NOTE: Direct network connections with external organizations, whether internal or external to the facility must be
addressed in an MOU/MOA and/or ISA. Indicate in Section 5.3.
5
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
6
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
READ ME FIRST:
ALL new Baseline Controls are indicated with NEW BASELINE included in the title.
Overlays are included with guidance regarding possible actions on behalf of the Program. These overlays either add or
remove security controls based on the configuration of the information system and the requirements of the Program.
ALL overlays that apply to a specific control are indicated in the Security Control title. A “+” means that the control is
required by one or more overlays; a “–“indicates that the control may be tailored out based on one or more overlays.
CRITERIA FOR THE CLASSIFIED OVERLAY: The Classified Overlay applies to ALL classified NSS including DoD and IS
and is considered part of the DAA PM baseline control set. Controls identified in the Classified Overlay may not be
tailored out and must be addressed in the security control description. All new baseline controls based on the
Classified overlay will be indicated with NEW in the control title.
CRITERIA FOR THE STANDALONE OVERLAY: This overlay may be applied for any IS that are operated in a purely
(not networked) standalone configuration, e.g., a laptop, standalone PC. Security controls that can be tailored out
base on the Standalone Overlay are identified by a (- per Standalone Overlay) in red text in the control name. If
control is not relevant to the IS, check the “Tailored Out” box; no further explanation is required. NOTE: Some of
the controls can only be tailored out for standalone IS that have ONLY one user. These are specifically identified.
CRITERIA FOR IMPLEMENTATION OF THE ISOLATED LAN/CLOSED RESTRICTED NETWORK OVERLAY: This overlay
may be applied for any IS that is operated in an internal network configuration that is not connected in any way to
an external network or information system. Security controls that can be uniquely tailored out are identified by a
(- CRN Overlay). If control is not relevant to the IS, check the “Tailored Out” box; no further explanation is
required.
NOTE FOR ALL OVERLAYS: EACH PROGRAM IS RESPONSIBLE FOR REVIEWING EVERY CONTROL
IN THE BASELINE AND DETERMINING IF THAT CONTROL IS APPLICABLE, WHETHER OR NOT AN
OVERLAY ALLOWS IT TO BE TAILORED OUT OR RECOMMENDS THE SECURITY CONTROL BE
ADDED TO THE BASELINE.
The security impact categorization of the IS for confidentiality will NEVER be lower than Moderate. In some cases, the IS will
required enhanced security for confidentiality, integrity and/or availability. In that case, the categorization for one or all
categories can be raised (e.g., from Moderate to High or from Low to Moderate, etc.) or the organization may only require
the addition of one or more specific security controls at the elevated security impact level. If additional security controls are
required, these must be added to the template and marked as “Tailored In.”
There is a short description for each control, which provides guidance on the implementation of that control. In the control
descriptions, organizational parameters or specific requirements are indicated in bold print. Please describe the information
security control as it is implemented on your system in the white sections in the tables below. You may tailor security
controls in/out based on the security impact categorization, applied overlay(s), and adjustments based on the risk
assessment. Security controls added uniquely by an overlay are indicated with a plus and the name of the overlay requiring
the control. If the control can be tailored out or must be tailored in due to an overlay, this is reflected in red text for each
affected control.
The continuous monitoring strategy for each control must be explained. This may include such language as how and when
reviews are conducted
The recommended continuous monitoring frequency from the DAAPM is provided; however, this may require adjustment
based on Program operational requirements. A change to the recommended frequency requires DAO approval. The
CONMON Reporting Spreadsheet (see Continuous Monitoring Guide) is intended to be used to track the most current review
date. If the recommended frequency is changed, a justification must be provided in the control implementation description.
In the blank for continuous monitoring strategy, indicate the means by which the control will be monitored; e.g., use
automated scanning tool, review and update document, download screenshots, etc.
1
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
2
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Establishes a process for reissuing shared/group account Click here to enter text.
credentials (if deployed) when individuals are removed
from the group
10.2.2.1 AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
3
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system automatically disables temporary and emergency accounts after not more than 72 hours.
4
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
5
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts– NEW BASELINE
10.2.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system terminates shared/group account credential when a member/members leave the group. This
control supports insider threat mitigation.
Click here to enter text.
6
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals– NEW BASELINE
7
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Additionally, all information systems shall, at a minimum, enforce a Discretionary Access Control (DAC) policy that:
Allows users to specify and control sharing by named Click here to enter text.
individuals or groups of individuals, or by both
10.2.3.1 AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization enforces dual authorization for all transfers of data from a classified computer network to removable
media.
This includes the technical separation of roles (e.g., DTA and ISSM or designated representative etc.). Only trained Data
Transfer Agents (DTAs) are authorized to transfer data from a IS to removable media. Only ISSM and/or designated
representatives are authorized to enable permissions to transfer data to removable media. This control supports insider
threat mitigation.
Data transfer authorization enforcement can be performed by the organization, but should have technical separation of
roles to support the organization’s implemented dual authorization process. Example of implementation meeting the spirit
of AC-3(2): The organization policy states that appropriately trained Data Transfer/Trusted Download Agents are the only
individuals authorized to transfer data from a classified system to removable media and only the ISSM and/or designated
representatives are authorized to enable permissions to transfer removable media.
Click here to enter text.
10.2.3.2 AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
8
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.3.3 AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and
SC-28
Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards,
encrypted tunnels, firewalls, and routers). These devices employ rule sets or establish configuration settings that restrict
information system services, provide a packet-filtering capability based on header information, or provide message-filtering
capabilities based on content (e.g., using key word searches or document characteristics). Within the environment,
information flow control is provided by the infrastructure via the implementation of various boundary protection devices.
9
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
11
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.6.4 AC-6(7) – Least Privilege: Review of User Privileges (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The Presidential Memo, National Insider Threat Policy and Minimum Standards for Insider Threat Programs, November 21,
2012, and DoDD 5205.16, The DoD Insider Threat Program, 30 Sep 2014, require that organizations develop insider threat
programs to include reporting the status of privileged users (e.g., total number, additions, deletions) on a quarterly basis.
Programs will report to the Special Programs Office.
The organization:
Reviews at least annually the privileges assigned to Click here to enter text.
privileged user accounts to include the DTA to validate
the need for such privileges
Reassigns or removes privileges, if necessary to correctly Click here to enter text.
reflect organizational mission/business needs
10.2.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
12
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system audits the execution of privileged functions.
Privileged functions have elevated permissions to access, or grant access to Program information and/or PII. Accountability
requires the ability to detect, trace, and audit privileged functions. The information system prevents all
applications/programs from executing at higher levels than users executing the application/program. This control supports
insider threat mitigation.
Click here to enter text.
10.2.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW BASELINE
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system prevents non-privileged users from executing privileged functions to include disabling,
circumventing, or altering implemented security safeguards/countermeasuresThis control supports insider threat mitigation.
13
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system:
Enforces a limit of maximum of three (3) consecutive Click here to enter text.
invalid logon attempts by a user during a fifteen (15)
minute time period
Automatically locks the account/node until released by Click here to enter text.
an administrator when the account is supported locally;
or if not supported locally, after a period of not less
than 15 minutes when the maximum number of
unsuccessful attempts is exceeded. (Includes the
requirements of AC-7(1))
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Notice and Consent Banners: “Standard mandatory notice and consent banners must be displayed at logon to all ISs and
standard mandatory consent notice and consent provisions will be included in all IS user agreements in accordance with
applicable security controls and implementation procedures.” The most current required text for the banner and user
agreements is listed within the DAAPM.
The information system:
Displays to users the DoD Information System Standard Click here to enter text.
Consent Banner before granting access to the system
that provides privacy and security notices consistent
with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance
and states that: Users are accessing a U.S. Government
14
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
15
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
16
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user)
accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access)
without terminating network sessions. Session termination terminates all processes associated with a user’s logical session
except those processes that are specifically created by the user (i.e., session owner) to continue after the session is
terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-
defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information
system use.
(b) displays an explicit logout message to users indicating the reliable termination of authenticated communications
sessions.
17
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.12.1 AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into
AC-14
For example, the organization: a. Provides the means to associate [Classification level; accesses; and handling caveat] having
[Unclassified, Confidential, Secret, Top Secret; Apples, Oranges;, FOUO, NOFORN, etc.] with information in storage, in
process, and/or in transmission; b. Ensures that the security attribute associations are made and retained with the
information; c. Establishes the permitted [Classification level; accesses; and handling caveat] for [e.g., Apples Network,
FMDR LAN]; and d. Determines the permitted [e.g., user cannot select Apples if user selected Unclassified] for each of the
established security attributes. Example implementation for a system where all users are formally accessed to all
information: a) attributes (clearance, access, PII, etc.) are identified in the headers/footers, paragraph markings, or in the
filename; b) files are saved with these attributes; c) and d) see organization-defined values in example (c and d) above.
The organization:
Provides the means to associate classification and Click here to enter text.
Program caveats based on the Program SCG with
information in storage, in process, and/or in
transmission
Ensures that the security attribute associations are Click here to enter text.
made and retained with the information
Establishes the permitted attributes (e.g., classification Click here to enter text.
level, accesses, and handling caveat) IAW the SCG for
SAR IS
18
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.13.1 AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system displays security attributes in human-readable form on each object that the system transmits to
output devices to identify special dissemination, handling, or distribution instructions using human-readable, standard
naming conventions.
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include,
for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants.
Click here to enter text.
10.2.13.2 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization allows personnel to associate, and maintain the association of the appropriate level of classification,
access and/or handling caveats associated with files they create in accordance with the SCG or locally defined security
policies. For example, The organization allows the user to select and manage the appropriate classification, access,
handling caveats for files (e.g., document, email, image, folder) they create in accordance with SCG or locally defined
security policies.
Click here to enter text.
10.2.13.3 AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW
After a relevance determination, this control can be tailored out for standalone IS.
19
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.14.1 AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
20
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.14.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access
sessions. This control is considered an NSS best practice.
Click here to enter text.
10.2.14.3 AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
All remote accesses shall be routed through a limited number of managed access control points (e.g., via an organizationally
managed remote access server, such as a Citrix Server). This control is considered an NSS best practice.
Click here to enter text.
10.2.14.4 AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
21
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.14.5 AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that users protect information about remote access mechanisms from unauthorized use and
disclosure. This control is considered an NSS best practice.
Click here to enter text.
10.2.14.6 AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10)
10.2.14.7 AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7
10.2.14.8 AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
22
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
23
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.15.2 AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4
10.2.15.3 AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization disables, when not intended for use, wireless networking capabilities internally embedded within
information system components prior to issuance and deployment. Document and ensure wireless is disabled or removed
from devices entering the facility, e.g., smart televisions, portable electronic devices, printers.
10.2.15.4 AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking
24
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization:
Establishes usage restrictions, configuration Click here to enter text.
requirements, connection requirements, and
implementation guidance for organization-controlled
mobile devices
Authorizes the connection of mobile devices to Click here to enter text.
organizational information systems
10.2.16.1 AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into
MP-7
10.2.16.2 AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN
Incorporated Into MP-7
10.2.16.3 AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN
Incorporated Into MP-7
10.2.16.4 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW
BASELINE
This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the implementation of this control.
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
25
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.17.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the privacy-related implementation of
this control.
26
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization permits authorized individuals to use an interconnected external information system or to process store or
transmit organizational-controlled information only when the organization:
Verifies the implementation of required security controls on
the external system as specified in the organizations
information security policy and security plan or…
Retains approved information system connection or
processing agreements with the organizational entity
hosting the external information system.
10.2.17.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay)
After a relevance determination, this control can be tailored out for closed restricted networks, but must be considered as
part of the Classified Overlay.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Organizations shall limit the use of organization-controlled portable/removable storage media by authorized individuals on
External Information Systems. DAO approval is required. This control supports insider threat mitigation.
27
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.17.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone
Overlay) – NEW
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Network accessible storage devices in external information systems include, for example, online storage devices in public,
hybrid, or community cloud-based systems. The organization prohibits the use of fined network accessible storage devices in
external information systems, unless specifically approved by the AO/DAO.
Click here to enter text.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
28
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
A sharing partner may be an individual or group on the IS, or external to the IS, e.g., sharing is being done in a circumstance
where the IS cannot enforce appropriate sharing controls, e.g., VTCs, phone conversations, and fax transmittals. The
organization will use an approved mechanism to ensure informed security decisions are made, preventing inadvertent
disclosures.
The organization:
Facilitates information sharing by enabling authorized Click here to enter text.
users to determine whether access authorizations
assigned to the sharing partner match the access
restrictions on the information
Employs automated or manual review process to assist
users in making information sharing/ collaboration
decisions
29
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.2.20 AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE
This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the implementation of this control.
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs data mining prevention and detection for Program information to adequately detect and protect
against data mining.
Data mining prevention and protection techniques include limiting responses provided to queries and notifying responsible
personnel when an unauthorized or atypical access attempt occurs.
30
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
31
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
32
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.3.2.1 AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
These can include behaviors such as job dissatisfaction, unexplained financial resources, consistent violations of
organizational policies, etc. Carnegie Mellon Software Engineering Institute has been conducting research on insider threat
indicators for several years. Additional information on insider threat indicators can be found at:
http://www.cert.org/insider-threat/.
Click here to enter text.
33
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.3.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization provides training to its personnel on indicators in order to recognize of suspicious communications and/or
anomalous system behavior (e.g., receiving a suspicious email, an unexpected web communication, etc.).
Click here to enter text.
34
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Initial training records must contain legal signatures, or FIPS 140-2-compliant digital signatures, of users who received the
training. Refresher training may be documented through user-initialed attendance rosters, e-mail acknowledgments,
USERIDs captured through online content delivery systems, or other similar user acknowledgments. In addition,
organizations shall maintain training records.
The organization:
Documents and monitors individual information system Click here to enter text.
security training activities including basic security
awareness training and specific information system
security training
Retains individual training records for at least five (5) Click here to enter text.
years
10.3.5 AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5
35
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to ISSO, ISSM, FSO and designated users and auditing personnel.
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit
and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy at least annually; and
2. Audit and accountability procedures at least annually.
36
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The Organization reviews and updates the audit events annually and based on situational awareness of threats and
vulernabilities. The auditable events baseline list, as defined in the tables above, shall be reviewed annually or as policy and
procedures dictate changes are required. The review shall include coordination with other organizational entities requiring
audit-related information (e.g., Incident Response, Counterintelligence) to enhance mutual support and to help guide the
selection of auditable events. This control supports insider threat mitigation.
37
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.2.2 AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9)
Manual audit logs may be used to record the transmission of any data over a fax connected to a secure voice line (e.g.,
Secure Terminal Equipment (STE)). Reference DoDM 5205.07-V1, Enclosure 5, para 2.b. These logs will be maintained for
one year and must include the following information:
Sender’s name, organization and telephone number
Date and time of fax transmission
Classification level of the information
Recipient’s name, organization and telephone number
Click here to enter text.
38
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged
commands or the individual identities of group account users. Organizations consider limiting the additional audit
information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails
and audit logs by not including information that could potentially be misleading or could make it more difficult to locate
information of interest.
39
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system off-loads audit records based on organizational requirements onto a different system or media
than the system being audited. Organizations should assign a frequency or threshold capacity when audit records are off-
loaded. Related control: AU-9(2).
Click here to enter text.
Takes the following additional actions: at a minimum, Click here to enter text.
record any audit processing failure in the audit log
40
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with single users.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system provides a warning to ISSM and IA personnel immediately when allocated audit record storage
volume reaches [75 percent] of repository maximum audit record storage capacity. This control supports insider threat
mitigation.
Auditing processing failures include, e.g. software/hardware errors, failures in the audit capturing mechanisms, and audit
storage capacity being reached or exceeded.
Reports findings to ISO, ISSM and FSO Click here to enter text.
41
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall integrate and, to the extent possible, automate audit review, analysis, and reporting processes to
support organizational processes for investigation and response to suspicious activities.
Click here to enter text.
10.4.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Standalone Overlay
After a relevance determination, this control can be tailored out for standalone IS.
10.4.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system provides the capability to centrally review and analyze audit records from multiple components
42
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization integrates analysis of audit records with analysis of vulnerability scanning information; performance data;
and/or information system monitoring information; and Program-defined data/information collected from other sources to
further enhance the ability to identify inappropriate or unusual activity.
Click here to enter text.
10.4.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization performs a full text analysis of audited privileged commands in a physically distinct component or
subsystem of the information system, or other information system that is dedicated to that analysis.
Click here to enter text.
10.4.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified
Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
43
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization correlates information from nontechnical sources with audit information to enhance organization wide
situational awareness.
Click here to enter text.
10.4.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a
change in risk based on law enforcement information, intelligence information, or other credible source of information.
Click here to enter text.
10.4.7 AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the privacy-related implementation of
this control.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system provides an audit reduction and report generation capability that:
44
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system provides the capability to sort and search audit records for events of interest based on selectable
event criteria.
Click here to enter text.
Records time stamps for audit records that can be Click here to enter text.
mapped to Coordinated Universal Time (UTC) or
Greenwich Mean Time (GMT). Time stamps shall
include both date and time.
45
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall synchronize internal information system clocks, at least every 24 hours, with an organization-
defined time source, e.g. Domain Controller, US Naval Observatory time server. Synchronizes the internal system clocks
to the authoritative time source when the time difference is greater than the organizationally defined granularity in AU-8.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit
information system activity. Audit information shall be handled and protected at the same security level of the information
system from which it originated, until reviewed and a determination is made of the actual classification.
Click here to enter text.
10.4.9.1 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
46
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Where applicable, access shall be further restricted by distinguishing between privileged users with audit-related privileges
and privileged users without audit-related privileges to improve audit integrity. Limiting the users with audit-related
privileges helps to mitigate the risk of unauthorized access, modification, and deletion of audit information. This control
supports insider threat mitigation.
Click here to enter text.
10.4.9.2 AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Organizations shall retain audit records for a minimum of five (5) years for IS to provide support for after-the-fact
investigations of security incidents and to meet regulatory and organizational information retention requirements.
Click here to enter text.
10.4.10.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs a retention technology to access audit records for the duration of the required retention period to
47
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.11.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system compiles audit records from information systems auditable devices into a system-wide (logical or
physical) audit trail that is time-correlated to within the tolerance defined in AU-8 and AU 12.
The AU-12 (1) organization-defined IS components is a subset of the organization-defined components in AU-12 focused on
correlated and centralizing specific audits.
Click here to enter text.
48
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The information system binds the identity of the information producer to the information and provides the means for
authorized individuals to determine the identity of the producer of the information.
49
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.12.2 AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system provides the capability for authorized users to capture/record and log content related to a user
session.
Click here to enter text.
50
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.4.13.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization provides cross-organizational audit information to specifically-identified organizations based on sharing
agreements as identified in an ISA, SLA, or MOA.
Click here to enter text.
51
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
52
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Assesses the security controls in the information system Click here to enter text.
and its environment of operation at least annually, or as
stipulated in the organization's continuous monitoring
program to determine the extent to which the controls
are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting
established security requirements
Produces a security assessment report that documents Click here to enter text.
the results of the assessment
Provides the results of the security control assessment Click here to enter text.
to the SCA and the DAO/DAO Rep and the ISSM/ISSO.
53
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Organizations shall identify any connections of an information system to an external information system in the SSP and
ensure connections from the information system to external information systems are authorized through the use of an ISA.
An external information system is an information system or component that is outside the authorization boundary as
defined in the SSP. (Reference AC-20.) If the interconnecting systems have the same AO, an ISA is not required.
Organizations typically have no direct control over the security controls or security control effectiveness for these external
systems or components. Organizations shall monitor all information system connections on an ongoing basis to verify
enforcement of the security requirements. If the interconnecting systems have the same AO, an ISA is not required,
although one may still be beneficial.
When a need arises to connect two different IS operating at different security classification levels, the connection is referred
to as a cross domain connection. Any cross domain connection must be identified first to the Service or Agency Cross
Domain Support Element (CDSE)
The direct connection of any information system to an external network is prohibited. No direct connection means that an
information system cannot connect to an external network without the use of an approved boundary protection device
(e.g., firewall or cross domain device) that mediates the communication between the system and the network.
The organization:
Authorizes connections from the information system to Click here to enter text.
other information systems through the use of
Interconnection Security Agreements
Documents, for each interconnection, the interface Click here to enter text.
characteristics, security requirements, and the nature of
the information communicated
Reviews and updates Interconnection Security Click here to enter text.
Agreements annually
10.5.3.1 CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN
Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prohibits the direct connection of a system processing to an external network without DAO approval and
the use of approved boundary protection devices.
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection
devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security
systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting
Controlled Unclassified Information (CUI).
54
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.5.3.2 CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (-
Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prohibits the direct connection of a classified, national security system processing SAR to an external
network without DAO approval and the use of approved boundary protection devices.
Click here to enter text.
10.5.3.3 CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE
55
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The POA&M is used by the AO and SCA to monitor the progress in mitigating any findings. POA&M entries are required even
when weaknesses or deficiencies found during the assessment are remediated prior to the submission of the authorization
package to the AO. Once an authorization is issued with a POA&M, adjusting the approved milestones and scheduled
completion dates is not allowed without coordination with AO. (NOTE: For Army, those weaknesses found during the
assessment, but remediated on site, will be included in the SAR, but not the POA&M).
The organization:
Develops a plan of action and milestones for the Click here to enter text.
information system to document the organization’s
planned remedial actions to correct weaknesses or
deficiencies noted during the assessment of the security
controls and to reduce or eliminate known
vulnerabilities in the system
Updates existing plan of action and milestones at least Click here to enter text.
quarterly based on the findings from security controls
assessments, security impact analyses, and continuous
monitoring activities
56
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Ensures that the authorizing official authorizes the This control falls under DSS cognizance
information system for processing before commencing
operations
Updates the security package if the organization and/or This control falls under DSS cognizance
system is adequately covered by a continuous
monitoring program the Security Authorization may be
continuously updated: If not; at least every three (3)
years, when significant security breaches occur,
whenever there is a significant change to the system, or
to the environment in which the system operates
Establishment of monitoring frequency for each security Click here to enter text.
control and frequency of assessments supporting such
monitoring
57
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Documents, for each internal connection, the interface Click here to enter text.
characteristics, security requirements, and the nature
of the information communicated
58
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
A baseline configuration describes the approved configuration of an information system including all hardware
(manufacturer, model and serial number or unique identifier), software (manufacturer, name, version number),
and firmware components (manufacturer, name and version number), how various security controls are
implemented, how the components are interconnected, and the physical and logical locations of each.
59
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
60
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.2.2 CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The Organization must:
a. Determine the types of changes to the information system that are configuration-controlled;
b. Review proposed configuration-controlled changes to the information system and approves or disapproves such changes
with explicit consideration for security impact analyses;
e. Retain records of configuration-controlled changes to the information system for the life of the system.
f. Audit and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinate and provide oversight for configuration change control activities through establishment of a group of
individuals with the collective responsibility and authority to review and approve proposed changes to the IS that convenes
as defined in the local SSP and when there is a significant change to the system or the environment in which the system
operates. This could be a function overseen only by the ISSM and/or ISSO/AO.
61
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.3.2 CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW BASELINE
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the privacy-related implementation of
this control.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that cryptographic mechanisms (public key, private key, etc…)used to provide safeguarding of
classified information from unauthorized access or modification is under configuration management policy
Click here to enter text.
62
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization permits only qualified and authorized individuals (Privileged) to access information systems for purposes
of initiating changes, including upgrades and modifications. These access restrictions enforce configuration control to the
information system.
10.6.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (- Standalone
Overlay)
After a relevance determination, this control can be tailored out for standalone IS with a single user.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
(a) Limits developing/integrator privileges to change information system components (hardware,
software, and firmware) and system-related information within a production or operational
environment; and
63
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
The organization limits privileges to change software resident within software libraries.
Where possible, organizations shall employ automated mechanisms to enforce access restrictions and support auditing of
the enforcement actions. This control supports insider threat mitigation.
64
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Identifies, documents, and approves any deviations Click here to enter text.
from established configuration settings for all
configurable IS components based on mission
requirements
Monitors and controls changes to the configuration Click here to enter text.
settings in accordance with organizational policies and
procedures
10.6.6.1 CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7
10.6.6.2 CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4
a. Document in the security plan, essential capabilities which the information system must
provide. The organization configures the information system to provide only those
documented essential capabilities.
b. Prohibits or restricts the use of ports, protocols, and services using least functionality. Ports
will be denied access by default, and allow access by exception as documented in the system
security plan.
65
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization must:
a. Reviews the information system annually to identify unnecessary and/or nonsecure functions, ports,
protocols, and services; and
b. Disables ports, protocols, and services within the information system deemed to be unnecessary (documented
in the SSP CM-7)
66
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization must maintain an audit trail of the review and update.
67
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available
inventory of information system components.
Click here to enter text.
10.6.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (- Standalone
Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
68
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
(a) Employ automated mechanisms continuously to detect the presence of unauthorized hardware, software, and
firmware components within the information system; and
(b) Take the following actions when unauthorized components are detected: Documents and implements a
process to take action to disable network access by unauthorized software, hardware, and firmware components,
isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate.
The organization must maintain an audit trail of actions taken upon detection of unauthorized software, hardware,
and firmware components.
Establishes a process for identifying configuration items Click here to enter text.
throughout the system development life cycle and for
managing the configuration of the configuration items
Defines the configuration items for the information Click here to enter text.
system and places the configuration items under
configuration management
Protects the configuration management plan from Click here to enter text.
unauthorized disclosure and modification
69
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization establishes the following restrictions on the use of open source software:
Open source software may only be used if specifically approved by the DAO and the organization meets all licensing issues
associated with the software.
Click here to enter text.
70
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.6.11.1 CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
71
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
72
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Identifies essential missions and business functions and Click here to enter text.
associated contingency requirements;
Distributes copies of the contingency plan to all Click here to enter text.
stakeholders identified in the contingency plan via an
information sharing capability
73
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Protects the contingency plan from unauthorized Click here to enter text.
disclosure and modification
74
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Tests the contingency plan for the information system Click here to enter text.
annually using full scale contingency plan testing or
functional/tabletop exercises to determine the
effectiveness of the plan and the organizational
readiness to execute the plan.
Documents and reviews the contingency plan Click here to enter text.
test/exercise results,
Initiates the corrective actions, if needed.
Establish an alternate processing site including Tailored out, low availability impact
necessary agreements to permit the resumption of
information system operations for essential
mission/business functions. The organization will define
the time period consistent with recovery time and
recovery point objectives for essential mission/business
functions to permit the transfer and redemption of
organization-defined information system operations at
an alternate processing site when the primary
processing capabilities are unavailable.
Ensure that equipment and supplies required to resume Tailored out, low availability impact
operations are available at the alternate processing site
or contracts are in place to support delivery to the site
75
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Ensure that the alternate processing site provides Tailored out, low availability impact
information security safeguards equivalent to that of
the primary site
Develop alternate processing site agreements (e.g., Tailored out, low availability impact
MOA/MOU) that contain priority-of-service provisions in
accordance with the organization’s availability
requirements
10.7.5.1 CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7
76
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Protects the confidentiality, integrity, and availability of Click here to enter text.
backup information at storage locations
Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution
objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes
the deactivation of any interim information system capabilities that may have been needed during recovery operations.
Reconstitution also assessments of fully restored information system capabilities, reestablishment of continuous monitoring
activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions,
compromises, or failures.
Organizations shall ensure all backup and restoration hardware, firmware and software are adequately protected.
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption,
compromise, or failure.
Click here to enter text.
77
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Information systems must uniquely identify and authenticate organizational users (or processes acting on behalf of
organizational users).
78
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.2.1 IA-2(1) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (-
Standalone Overlay)
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all network access to privileged accounts.
10.8.2.2 IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (-
Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
79
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.2.3 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all local access to privileged accounts.
Click here to enter text.
10.8.2.4 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication for all local access to non-privileged accounts.
80
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.2.6 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (- Standalone
Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall implement multi-factor authentication and use replay-resistant authentication mechanisms for all
network access to privileged accounts. An authentication process is resistant to replay attacks if it is impractical to achieve a
successful authentication by recording and replaying a previous authentication message. Techniques used to address this
include protocols that use random or non-repeating values (nonces) or challenges and time synchronous or challenge-
response one-time authenticators.
Click here to enter text.
10.8.2.7 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay
Resistant (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
81
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system implements replay-resistant authentication mechanisms for network access to non-privileged
accounts.
Click here to enter text.
10.8.2.8 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (- Standalone
Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts
such that one of the factors is provided by a device separate from the system gaining access and the device meets
organization-defined strength of mechanism requirements.
Click here to enter text.
10.8.2.9 IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (- Standalone
Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system accepts and electronically verifies Personal Identity Verification (e.g., CAC) credentials.
82
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information systems shall uniquely identify and authenticate all types of devices before establishing a network connection.
This includes, but is not limited to, servers, workstations, printers, routers, firewalls, VoIP telephones, video and VoIP
(VVOIP), desktop video teleconference (VTC) devices, etc. This control supports insider threat mitigation.
Device identification and authentication provides for unique identification and authentication of devices on a LAN and/or
WAN by using, for example, Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP)
addresses or an organizational authentication solution such as Institute of Electrical and Electronics Engineers (IEEE) 802.1x
and Extensible Authentication Protocol (EAP), Remote Authentication Dial In User Service (RADIUS) server with EAP-
Transport Layer Security (TLS) authentication, or Kerberos.
This control can be tailored out for standalone IS. Implementing this control ensures that un-authenticated devices, e.g.,
mobile devices and personal laptop computers, are not able to make a connection to an information system containing PII.
10.8.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system authenticates all types of devices before establishing a connection using bidirectional
authentication that is cryptographically based. Bidirectional authentication provides stronger safeguards to validate the
identity of other devices for connections that are of greater risk (e.g., remote connections).
A local connection is any connection with a device communicating without the use of a network. A network connection is
any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A
83
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Selecting an identifier that identifies an individual, group, Click here to enter text.
role, or device
Assigning the identifier to the intended individual, group, Click here to enter text.
role, or device
Preventing reuse of identifiers Click here to enter text.
Disabling the identifier after a period not to exceed 90 Click here to enter text.
days of inactivity [30 days for Army] for individuals,
groups, or roles; not appropriate to define for device
identifiers; e.g., media access control (MAC), IP
addresses, or device unique token identifiers.
84
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Shared (Group) Password [IA-5.a & .j] An account password shared among a group of users (i.e., group account) shall be
specifically documented in the SSP and authorized for use by the AO or designee. If specifically authorized, shared account
passwords must not knowingly be the same for any other account and shall be changed if a user leaves the group.
The organization manages IS authenticators by:
Verifying, as part of the initial authenticator distribution, Click here to enter text.
the identity of the individual, group, role, or device
receiving the authenticator
Establishing initial authenticator content for Click here to enter text.
authenticators defined by the organization
Ensuring that authenticators have sufficient strength of Click here to enter text.
mechanism for their intended use
Establishing and implementing administrative Click here to enter text.
procedures for initial authenticator distribution, for
lost/compromised or damaged authenticators, and for
revoking authenticators
Changing default content of authenticators prior to Click here to enter text.
information system installation
85
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
These password requirements are for English display language. Other display languages should use equivalent password
strength requirements. Passwords shall not be stored on an information system in clear text. An authorized, non-reversible,
encryption algorithm (e.g., hash algorithm) shall be used to transform a password into a format that may be stored in a
password file for use during subsequent password-validation. Passwords and password files, when transmitted using
electronic means, shall be encrypted using an authorized algorithm.
An approved product vendor’s current password hashing algorithm is an authorized algorithm when used on a protected
network. When possible, systems shall be configured to automatically notify the user of the requirement to change their
password at least fourteen (l4) days before its expiration. The minimum age restriction does not apply to the initial change
of a password, help desk password reset, or when compromise of a password is known or suspected.
86
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy
requirements as defined in IA-5 (1).
Passwords should be sufficiently strong to resist “password cracking” and other types of attacks intended to discover users’
passwords. Information resources should use automated password filters to verify that passwords are created consistent
with this document. Automated tools should be accessible to assist users with checking password strengths and generating
passwords. A password cracking method shall be used only with written AO authorization providing explicit direction for use
during vulnerability testing. Only authorized personnel will have access to and use password cracking tools. Reference IA-
5(1) (a) and (b) for password requirements.
87
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
88
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system prohibits the use of cached authenticators after one (1) hour.
Click here to enter text.
10.8.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the
content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
Click here to enter text.
89
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
90
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.7.1 IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials from Other
Agencies (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system accepts and electronically verifies Personal Identity Verification (PIV) (e.g., CAC) credentials from
other DoD and/or federal agencies.
Click here to enter text.
10.8.7.2 IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party Credentials (-
Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system accepts only FICAM-approved third-party credentials.
Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity,
Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or
exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements.
This allows federal government relying parties to trust such credentials at their approved assurance levels.
91
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.8.7.3 IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products (- Standalone
Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs only FICAM-approved information system components in Program IS to accept third-party
credentials. NOTE: In lieu of FICAM-approved products, DoD shall use DoD-approved products.
Click here to enter text.
10.8.7.4 IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (- Standalone
Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS conforms to FICAM-issued profiles. NOTE: In lieu of FICAM-approved profiles, DoD shall use DoD-approved
implementations.
Click here to enter text.
92
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
93
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.9.3.1 IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE
94
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
95
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.9.5.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
96
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.9.5.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization coordinates incident handling capability for insider threats across the Oversight Team.
10.9.5.6 IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization coordinates with organizations whose data has been involved in an incident to correlate and share
incident-related information to achieve a cross-organization perspective on incident awareness and more effective incident
responses.
Click here to enter text.
97
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
In the case of a suspected incident, containment procedures must begin immediately. However, GCA/Confirmation of the
classification of the information spilled is required promptly so decisions concerning scale of containment and eradication
efforts can be scoped, e.g., data spilled onto another system tends to be (although not always) less critical than data spilled
to an unclassified system.
The ISSM/ISSO is responsible for reporting incidents to security as well as to the AO,. The ISSM/ISSO must also report the
incident to the system DAO who in turn reports it to the AO. [IR-6.b] If an activity from another organization is involved, the
Director of Security will provide proper notification to the organization.
Initial/interim reporting should begin as soon as possible after knowledge of the incident and should continue until the
incident is resolved.
Organizations will continue to report until the incident is closed.
98
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Reports security incident information to the appropriate Click here to enter text.
agency IAW AR 380-381
99
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.9.8.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs automated mechanisms for increase the availability of incident response-related information and
support. Automated mechanisms for incident response related information and support may be employed through a
website, database, or other automated means.
This control is met using email.
100
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
101
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Alerting designed personnel of the information spill Click here to enter text.
using a method of communication not associated with
the spill
Isolating the contamination information system or Click here to enter text.
system component
Eradicating the information from the contaminated Click here to enter text.
information system or component
Identifying other IS or system components that may Click here to enter text.
have been subsequently contaminated
10.9.10.1 IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization assigns personnel and associated roles with responsibility for responding to information spills.
Click here to enter text.
10.9.10.2 IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
102
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.9.10.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs security safeguards for personnel exposed to information not within assigned access
authorizations, such as making personnel aware of federal laws, directives, policies, and/or regulations regarding the
information and the restrictions imposed based on exposure to such information.
Click here to enter text.
10.9.11 IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE
This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the privacy-related implementation of
this control.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization establishes an integrated team of forensic/malicious code analysts, tool developers and real time
operations personnel.
Click here to enter text.
103
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
MAINTENANCE (MA)
10.10.1 MA-1 – System Maintenance Policy and Procedures
Program-specific policies and procedures shall be included in the specific security controls listed below. There is no
requirement for the Program to develop additional policy to meet the -1 control.
104
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
105
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
106
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Allows the use of nonlocal maintenance and diagnostic Click here to enter text.
tools only as consistent with organizational policy and
documented in the security plan for the information
system
Employs strong authenticators in the establishment of Click here to enter text.
nonlocal maintenance and diagnostic sessions
Maintains records for nonlocal maintenance and Click here to enter text.
diagnostic activities
Terminates session and network connections when Click here to enter text.
nonlocal maintenance is completed
107
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
108
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.10.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
109
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
110
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
111
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.11.2.1 MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28
112
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
113
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Documents activities associated with the transport of Click here to enter text.
information system media
Restricts the activities associated with the transport of Click here to enter text.
information system media to authorized personnel.
Transport of media shall be restricted to an authorized
custodian by means of a courier card\letter
114
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
115
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization reviews, approves, tracks, documents and verifies media sanitization and disposal actions.
Click here to enter text.
116
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.11.6.4 MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
10.11.6.5 MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6
10.11.6.6 MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6
10.11.7.1 MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prohibits the use of portable storage devices in organizational information systems when such devices
have no identifiable owner.
117
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Ensures that the IS media downgrading process is Click here to enter text.
commensurate with the security category and/or
classification level of the information to be removed and
the access authorizations of the potential recipients of
the downgraded information
Identifies the IS media requiring downgrading Click here to enter text.
Downgrades the identified IS media using the Click here to enter text.
established process
118
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
119
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Reviews the access list detailing authorized facility Click here to enter text.
access by individuals [annually or as policy and
procedures dictate changes are required
Removes individuals from the facility access list when Click here to enter text.
access is no longer required
10.12.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization restricts unescorted access to the facility where the information system resides to personnel with security
clearances and/or formal access approval as defined by the local security policy (i.e., Facility SOP).
Click here to enter text.
120
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Enforces physical access authorizations by: Verifying Click here to enter text.
individual access authorizations before granting access
to the facility; and Controlling ingress/egress to the
facility;
Maintains physical access audit logs Click here to enter text.
Provides security safeguards to control access to areas Click here to enter text.
within the facility officially designated as publicly
accessible. Physical casings include for example, locking
computer racks to protect mission critical servers,
network routers, etc. As an alternative, these devices
may be secured in a room (e.g., a server room) with
access limited to privileged users.
Escorts visitors and monitors visitor activity Click here to enter text.
Secures keys, combinations, and other physical access Click here to enter text.
devices
Inventories physical access devices within as required Click here to enter text.
Changes combinations and keys when first installed or Click here to enter text.
used; if believed to have been subjected to compromise;
and when considered necessary by the cognizant
security authority (CSA) and/or when keys are lost,
combinations are compromised, or individuals are
transferred or terminated
10.12.3.1 PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
121
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization performs random security checks at the physical boundary of the facility or information system for
unauthorized exfiltration of information or removal of information system components.
Click here to enter text.
122
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.4 PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization controls physical access to information system distribution and transmission lines within organizational
facilities. Security safeguards include locked wiring closets, disconnected or locked spare jacks, and protection of cabling by
conduit or cable trays.
Click here to enter text.
See the DAA PM for additional information on the use of KVM Switches.
Click here to enter text.
10.12.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
123
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization monitors physical intrusion alarms and surveillance equipment.
Click here to enter text.
124
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.7 PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification
– WITHDRAWN Incorporated into PE-2 and PE-3
125
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
126
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization employs management, operational and technical information system security controls at the alternate
work site equivalent to those applicable to the primary work site. These security controls shall be assessed as feasible to
determine the effectiveness of these controls. The alternate work site shall provide a means for employees to communicate
with information security personnel in case of security incidents or problems.
An alternate work site has not been established.
127
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.12.15.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that IS component, associate data communications, and networks are protected in accordance
with national emissions and TEMPEST policies and procedures based on the security category or classification of the
information.
Click here to enter text.
128
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
PLANNING (PL)
10.13.1 PL-1 – Security Planning Policy and Procedures
Program-specific policies and procedures shall be included in the specific security controls listed below. There is no
requirement for the Program to develop additional policy to meet the -1 control.
129
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.13.2.1 PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization plans and coordinates security-related activities affecting the IS with all relevant organizations or groups
130
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.13.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
131
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.13.4 PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2
Ensures that planned information security architecture Click here to enter text.
changes are reflected in the security plan, the security
Concept of Operations (CONOPS) (if appropriate), and
organizational procurements/acquisitions
Requires individuals who have signed a previous version Click here to enter text.
of the rules of behavior to read and re-sign when the
rules of behavior are revised/updated
132
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
133
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Organizations shall ensure that every user accessing an IS processing, storing, or transmitting types of classified information
which require formal indoctrination, is formally indoctrinated for all information for which the user is authorized access.
The organization:
Screens individuals prior to authorizing access to the Click here to enter text.
information system
Implementation Status:
134
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of
classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of
information to which they have access on the system. Reference DoDM 5205.07-V2.
Click here to enter text.
10.14.3.2 PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that individuals accessing an IS processing, storing or transmitting information requirement special
protection: (a) have valid access authorizations that are demonstrated by assigned official government duties; and (b) satisfy
any organizationally-required background screenings.
Click here to enter text.
135
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
deemed to be of value is retained before the departing user’s accounts are archived and removed. The property custodian
must retrieve any equipment issued to the departing individual, such as laptops or PEDs. The loss of security clearance or
formal access approval (through de-briefing, suspension or revocation) requires immediate deactivation of all accounts
associated with the individual.
The organization, upon termination of an individual:
Disables information system access within 24 hours Click here to enter text.
Terminates/revokes any authenticators/credentials Click here to enter text.
associated with the individual
Conducts exit interviews that include a discussion of any Click here to enter text.
prohibitions regarding the information obtained during
the employment
Retrieves all security-related organizational information Click here to enter text.
system-related property
Retains access to organizational information and Click here to enter text.
information systems formerly controlled by terminated
individual
10.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization (a) notified termination individuals of applicable, legally binding post-employment requirements for the
protection of organizational information; and (b) requires terminated individuals to sign an acknowledgment of post-
employment requirements as part of the organizational termination process.
Click here to enter text.
136
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Notify other organizations that may have granted system accesses (for example, collateral systems access, database access
managed by another agency or organization) of the individual’s transfer or reassignment. Notification of an employee’s
transfer or reassignment shall be documented as the responsibility of the employee’s supervisor or Human Resources. The
property custodian must determine whether any equipment issued to the individual, such as laptops or PEDs, should be
retrieved or transferred to another property account. Reference AC-2 for additional requirements.
The organization, upon transfer of an individual:
Reviews and confirms any ongoing operational need for Click here to enter text.
current logical and physical access authorizations to
information systems/facilities when individuals are
reassigned or transferred to other positions within the
organization
Initiates reassignment actions to ensure all system Click here to enter text.
access no longer required (need to know) are removed
or disabled within 10 working days
Modifies access authorization as needed to correspond Click here to enter text.
with any changes in operational need due to
reassignment or transfer
The User Access Agreement shall be retained by the ISSM for a minimum of two (2) years after access is removed.
Organizations shall ensure that access to any information with special protection measures is granted only to individuals
who:
• Have a valid access authorization that is demonstrated by assigned official government duties.
• Satisfy associated personnel security criteria consistent with applicable federal laws, EOs, directives, policies,
regulations, standards, and guidance.
• Have read, understand, and signed a nondisclosure agreement (if applicable).
Information with special protection measures includes, for example, privacy information, proprietary information, and
Sources and Methods Information (SAMI).
The organization:
137
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Develops and documents access agreements for Click here to enter text.
organizational information systems
Reviews and updates access agreements at least Click here to enter text.
annually
Ensures that individuals requiring access to organization Click here to enter text.
information and IS: sign appropriate access agreements
prior to being granted access; re-sign access agreements
to maintain access to organization IS when access
agreements have been update or at least annually
10.14.6.1 PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3
10.14.6.2 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization ensures that access to classified information requiring special protection is granted only to individuals who
(a) have a valid access authorization that is demonstrated by assigned official government duties; (b) satisfy associated
personnel security criteria; and (c) have read, understood, and signed a nondisclosure agreement.
Click here to enter text.
10.14.6.3 PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization (a) notifies individuals of applicable, legally-binding post-employment requirements for protection of
organizational information; (b) requires individuals to sign an acknowledgment of these requirements, if applicable, as part
of granting initial access to covered information.
Click here to enter text.
138
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
139
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Employs a formal sanctions process for individuals failing Click here to enter text.
to comply with established information security policies
and procedures
Notifies the appropriate organizations as soon as Click here to enter text.
possible when a formal employee sanctions process is
initiated, identifying the individual sanctioned and the
reason for the sanction
140
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Ensures that the security categorization decision is Click here to enter text.
reviewed by the SCA and approved by the AO/AO-
Representative
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The Risk Assessment Report (RAR) is part of the required Body of Evidence (BoE) provided to the DAO as the basis of the
authorization to operate decision. The RAR should be initiated prior to or during Step 1, Security Categorization.
The organization:
Conducts an assessment of risk, including the likelihood Click here to enter text.
and magnitude of harm, from the unauthorized access,
use, disclosure, disruption, modification, or destruction
141
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Documents risk assessment results in the Risk Click here to enter text.
Assessment Report (RAR)
Reviews risk assessment results at least annually Click here to enter text.
Disseminates risk assessment results to the SCA for Click here to enter text.
initial review and to the AO/AO-Representative for final
approval
Updates the risk assessment at least annually or Click here to enter text.
whenever there are significant changes to the
information system or environment of operation
(including the identification of new threats and
vulnerabilities), or other conditions that may impact the
security state of the system
142
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
143
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.15.4.5 RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components – WITHDRAWN
Incorporated into CM-8
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
144
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization employs a technical surveillance countermeasures survey at their facilities as required.
Click here to enter text.
145
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Determines, documents, and allocates the resources Click here to enter text.
required to protect the IS or IS service as part of its
capital planning and investment control process
Establish a discrete line item for information security in Click here to enter text.
organizational programming and budgeting
documentation
146
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
147
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone Overlay) – NEW
BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or IS service to provide design and implementation
information for the security controls to be employed that includes: security-relevant external system interfaces; high level
design; source code or hardware schematics and other system or service specific implementation information at a sufficient
level of detail.
10.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay)
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization shall employ only GOTS or COTS IA and IA-enabled IT products that compose an NSA-approved solution to
protect classified information when the system(s)/networks used to process, store, and/or transmit the information are at a
lower classification level than the information being transmitted (i.e., tunneling) [SA-4(6) (a)], ensure that these products
have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
Click here to enter text.
148
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
The organization (a) limits the use of commercially provided IA and IA-enabled IT products to those products that have been
successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a
specific technology type, if such a profile exists; (b) Requires, if no NIAP-approved Protection Profile exists for a specific
technology type but a commercially provided IT products relies on cryptographic functionality to enforce its security policy,
that the cryptographic module is FIPS-validated.
Click here to enter text.
10.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
149
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Obtain administrator documentation for the IS, IS Click here to enter text.
component, or IS service that describes: (1) Secure
configuration, installation, and operation of the
information system; (2) Effective use and maintenance
of security features/functions; and (3) Known
vulnerabilities regarding configuration and use of
administrative (i.e., privileged) functions.
Obtain user documentation for he IS, IS component, or Click here to enter text.
IS service that describes: (1) User-accessible security
features/functions and how to effectively use those
security features/functions; (2) Methods for user
interaction with the information system, which enables
individuals to use the system in a more secure manner
(e.g. training materials, user guides, Standard Operating
Procedures); (3) User responsibilities in maintaining the
security of the information and information system
Document attempts to obtain IS, IS component, or IS Click here to enter text.
service documentation when such documentation is
either unavailable or nonexistent
150
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.5.1 SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN Incorporated
into SA-4(1)
10.16.5.2 SA-5(2) – Information System Documentation: Security Relevant External System Interfaces – WITHDRAWN
Incorporated into SA-4(2)
10.16.6 SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7
10.16.7 SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7
10.16.9 SA-9 – External Information System Services (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
External Information System services are service that are implemented outside of the authorization boundary of the
organizational information system (i.e., a service that is used by, but not a part of, the organizational information system).
Relationships with external service providers are established in a variety of ways, for example, through joint ventures,
business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements),
licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use
of External Information System services remains with the AO. When a sufficient level of trust cannot be established in the
external services and/or service providers, the organization shall employ compensating security controls or accept the
greater degree of risk.
The organization:
151
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.9.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization (a) conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated
information security services; and (b) Ensures the acquisition or outsourcing of dedicated information security services is
approved as defined at the system or program level. Organizations should ensure that individuals with the regulatory and
organizational authority to outsource services conduct full scope risk assessments and ensure that appropriate individuals
are involved in this decision. This approval line can be reserved for CIO, AO, or contracting officer as appropriate based on
an organization’s structure. Dedicated information security services include, for example, incident monitoring, analysis and
response, operation of information security-related devices such as firewalls, or key management services.
Click here to enter text.
10.16.9.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
152
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.9.3 SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization restricts the location of classified or sensitive information processing, information/data storage, or IS
services to locations approved for such processing and to appropriately cleared and access individuals.
Click here to enter text.
153
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization requires the developer of the IS, system component, or IS service to enable integrity verification of
software and firmware components.
Click here to enter text.
Perform the appropriate type of testing/evaluation (e.g., Click here to enter text.
unit, integration, system, regression)
154
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Document the results of the security testing/evaluation Click here to enter text.
and flaw remediation processes
The organization::
Requires the developer if the IS, system component, or Click here to enter text.
IS service to follow a documented process that: (1)
explicitly addresses security requirements; (2) identifies
the standards and tools used in the development
process; (3) documents the specific tool options and tool
configuration used in the development process; and (4)
155
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.16.13.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization approves, documents, and controls the use of live data in development and test environments for the IS,
system component, or IS service.
Click here to enter text.
156
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization::
Develops and implements anti-counterfeit policy and Click here to enter text.
procedures that include the means to detect and
prevent counterfeit components from entering the IS
Reports counterfeit IS components to ASPD and the Click here to enter text.
CIO/G-6 in accordance with AR 380-381
157
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
158
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.6 SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
159
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.7.1 SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
160
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.7.2 SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic
flow policy for each managed interface; (c) Protects the confidentiality and integrity of information being transmitted across
each interface; (d) Documents exceptions to the traffic flow policy with a supporting mission/business need and the
duration of that need in the SSP; (e) Reviews exceptions to the traffic flow policy at least annually; Eliminates traffic flow
policy exceptions that are no longer required by an explicit mission/business need; and update the SSP accordingly.
Click here to enter text.
10.17.7.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
161
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.7.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections
with the system and communicating via some other connection to resources in external networks. The use of VPNs for
remote connections, when adequately provisioned with appropriate security controls, may provide the organization with
sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and
integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The
use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.
Click here to enter text.
10.17.7.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS routes specific internal communications traffic through authenticated proxy servers within the managed interfaces of
boundary protection devices, (e.g. as defined in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA
STIGs), to external networks (i.e., networks outside the control of the organization). The list of traffic to be routed through
162
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
managed interfaces may be augmented with Service or site-specific requirements and approved by the DAO or designee.
Click here to enter text.
10.17.7.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) –
NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS (a) detects and denies outgoing communications traffic posing a threat to external IS; and (b) audits the identity of
internal users associated with denied communications. This is sometimes termed extrusion detection and includes traffic
indicative of denial of service attacks and traffic containing malicious code.
Click here to enter text.
10.17.7.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay)
This control is required for IS that process, store or transmit SCI.
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prevents the unauthorized exfiltration of information across managed interfaces.
Click here to enter text.
10.17.7.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
163
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.7.9 SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization implements host-based boundary protection mechanisms (e.g., a host-based firewall) for servers,
workstations, and mobile devices. Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g.,
notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This
typically applies when the internal network has classification or access levels that differ.
Click here to enter text.
10.17.7.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN
Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization isolates, at a minimum, vulnerability scanning tools, audit log servers, patch servers, and CND tools from
164
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.7.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization protects against unauthorized physical connections at any managed interface that crosses security
domains or connects to an external network; such as, but not limited to cross domain solutions, a network boundary with a
WAN, a partner network, or the Internet.
Click here to enter text.
165
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
When networks are present other than those listed above, a different color must be selected for the network cables to assist
in minimizing the risk to classified IS.
Click here to enter text.
10.17.8.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+ Classified ) – NEW
BASELINE
166
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.8.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone
Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS maintains the confidentiality and integrity of information during preparation for transmission and during reception.
Click here to enter text.
10.17.8.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+ Classified
Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements cryptographic mechanisms to protect message externals unless otherwise protected by alternative
physical or logical safeguards. Message externals include, for example, message headers/routing information.
Click here to enter text.
10.17.8.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements cryptographic mechanisms to conceal or randomize communications patterns unless otherwise protected
by alternative physical or logical safeguards. Communication patterns include, for example, frequency, periods, amount,
and predictability. Changes to communications patterns can reveal information having intelligence value especially when
167
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
168
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.10.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization produces, controls, and distributes symmetric keys using NSA-approved key management technology and
processes.
Click here to enter text.
10.17.10.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization produces, controls, and distributes asymmetric keys using NSA-approved key management technology
and processes.
Click here to enter text.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS implements using NSA-approved cryptography for protecting classified information from access by personnel who
lack the necessary security clearance in accordance with applicable Federal laws, Executive Orders, directives, policies,
regulations, and standards. To protect classified information organizations shall employ NSA-approved cryptography.
169
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.11.1 SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-
13
10.17.12 SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls
Provides an explicit indication of use to users physically Click here to enter text.
present at the devices
170
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.13.1 SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic WITHDRAWN
Incorporated into SC-7
10.17.13.2 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified Overlay) (-
Standalone & CRN Overlay) – NEW
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization disables or removes collaborative computing devices from organizationally-identified IS or IS components
in specified secure work areas.
Click here to enter text.
171
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
172
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
173
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.16 SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Organizations shall ensure VoIP technologies are implemented with DAO and approval. The organization shall further
ensure:
VoIP telephone instruments shall have a “Consent to Monitor” label (e.g. DD
Form 2056) or banner and an appropriate classification label or banner. VoIP
telephone instruments must be used in such a way to ensure no unintended
conversations are picked up and transmitted outside the facility. This may
include use in an enclosed office, or ensuring no other higher classified
discussions occur in the area when the VoIP telephone is in use.
The organization:
Establishes usage restrictions and implementation Click here to enter text.
guidance for VoIP technologies based on the potential to
cause damage to the IS if used maliciously
Authorizes, monitors and controls the use of VoIP within Click here to enter text.
the IS.
10.17.17 SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
A Domain Name System (DNS) server is an example of an information system that provides name/address resolution
service.
The information system:
174
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.17.1 SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated
into SC-20
10.17.18 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system requests and performs data origin authentication and data integrity verification on the
name/address resolution responses the system receives from authoritative sources.
Click here to enter text.
10.17.19 SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The IS that collectively provide name/address resolution service for an organization shall be fault-tolerant and implement
internal/external role separation.
Click here to enter text.
175
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.20.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system invalidates session identifiers upon user logout or other session termination.
Click here to enter text.
10.17.20.2 SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into AC-12(1)
10.17.20.3 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
176
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system generates a unique session identifier for each session and recognizes only session identifiers that
are system-generated.
Click here to enter text.
10.17.20.4 SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system only allows the use of defined certificate authorities for verification of the establishment of
protected sessions.
Click here to enter text.
177
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
178
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.17.24.1 SC-42(3) – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW
Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization prohibits the use of devices possessing environmental sensing capabilities within facilities.
Click here to enter text.
179
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
180
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to all personnel:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and information integrity policy and
associated system and information integrity controls; and
b. Reviews and updates the current:
1. System and information integrity policy every 5 years; and
2. System and information integrity procedures at least annually.
181
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Flaw remediation refers to software patch management. Patch management is the systematic notification, identification,
deployment, installation, and verification of operating system and application software code revisions.
Organizations shall:
• Ensure system/network administrators routinely review vendor sites, bulletins, and notifications and proactively update
information systems with fixes, patches, definitions, service packs, or implementation of vulnerability mitigation strategies
with ISSM approval.
• Employ automated patch management tools on all components to the maximum extent supported by available tools to
facilitate flaw remediation.
By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation
actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example,
determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-
defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including,
for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability
related to the discovered flaw). Organizations determine the degree and type of testing needed for the specific type of flaw
remediation activity under consideration and also the types of changes that are to be configuration-managed. In some
situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical,
for example, when implementing simple anti-virus signature updates.
The organization:
Identifies, reports and corrects IS flaws Click here to enter text.
Tests software updates related to flaw remediation for Click here to enter text.
effectiveness and potential side effects on
organizational information systems before installation
Installs security-relevant software and firmware updates Click here to enter text.
within thirty (30) days of release of the updates
Incorporates flaw remediation into the organizational Click here to enter text.
configuration management process
182
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization shall measure the time between flaw identification and flaw remediation, comparing with a local historical
development of benchmarks, if available.
Click here to enter text.
10.18.2.4 SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2
10.18.2.5 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
183
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization removes previous versions of software and/or firmware components after updated versions have been
installed.
Click here to enter text.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization:
Employs malicious code protection mechanisms at Click here to enter text.
information system entry and exit points to detect and
eradicate malicious code
Updates malicious code protection mechanisms Click here to enter text.
whenever new releases are available in accordance with
organizational configuration management policy and
procedures
Configures malicious code protection mechanisms to: Click here to enter text.
(a) Perform periodic scans of the information system at
least weekly and real-time scans of files from external
sources at endpoints and network entry/exit points as
files are downloaded, opened, or executed in
accordance with organizational security policy; (b) Block
and quarantine malicious code and send an alert to the
system administrator in response to malicious code
detection
Addresses the receipt of false positives during malicious Click here to enter text.
code detection and eradication and the resulting
potential impact on the availability of the information
system
184
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.3.3 SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization (a) employs specific tools and techniques to analyze the characteristics and behavior of malicious code; and
(b) incorporates the results from the analysis into organizational incident response and flaw remediation processes.
185
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Monitors the information system to detect: (1) Attacks Click here to enter text.
and indicators of potential attacks in accordance with
the Service or Activity policy and (2) Unauthorized local,
network, and remote connections;
Identifies unauthorized use of the information system Click here to enter text.
through User Activity Monitoring tools, such as InTrust
Deploys monitoring devices: (i) strategically within the Click here to enter text.
information system to collect organization-determined
essential information; and (ii) at ad hoc locations within
the system to track specific types of transactions of
interest to the organization
Protects information obtained from intrusion-monitoring Click here to enter text.
tools from unauthorized access, modification, and
deletion
Heightens the level of information system monitoring Click here to enter text.
activity whenever there is an indication of increased risk
to organizational operations and assets, individuals,
other organizations, or the Nation based on law
enforcement information, intelligence information, or
other credible sources of information
Obtains legal opinion with regard to information system Click here to enter text.
monitoring activities in accordance with applicable
federal laws, Executive Orders, directives, policies, or
regulations
Provides information as needed to designated personnel Click here to enter text.
10.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
186
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
To the extent possible, the organization employs automated tools to support near real-time analysis of events.
Click here to enter text.
10.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic
include, for example, internal traffic that indicates the presence of malicious code within organizational information systems
or propagating among system components, the unauthorized exporting of information, or signaling to external information
systems. Evidence of malicious code is used to identify potentially compromised information systems or information system
components.
187
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The information system alerts the ISSM/ISSO when the following indications of compromise or potential compromise occur:
audit record deletion or modification, alerts from malicious code detection mechanisms, intrusion detection or prevention
mechanisms, boundary protection mechanisms such as firewalls, gateways, and routers.
Click here to enter text.
10.18.4.5 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay) – NEW
BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization makes provisions so that Program-related encrypted communications traffic is visible to deployed IS
monitoring tools.
Click here to enter text.
10.18.4.6 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs.
188
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.8 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
189
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.9 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
If appropriate, the organization shall employ an IDS to monitor wireless communications traffic as the traffic passes from
wireless to wireline networks.
Click here to enter text.
10.18.4.10 SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
To the extent possible, the organization shall correlate information from monitoring tools employed throughout the
information system to achieve organization-wide situational awareness. This control supports insider threat mitigation.
Click here to enter text.
10.18.4.11 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
190
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization implements additional monitoring measures of individuals who have been identified by organization
and/or other authorized sources as posing an increased level of risk. Indications of increased risk from individuals can be
obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement
organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal,
security, and human resources officials within organizations conducting such monitoring and complies with federal
legislation, Executive Orders, policies, directives, regulations, and standards.
Click here to enter text.
10.18.4.13 SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
191
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
10.18.4.14 SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Information system detects network services that have not been authorized or approved by defined authorized or approval
processes and audits and/or alerts the ISSM/ISSO.
Click here to enter text.
10.18.4.15 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization implements host-based monitoring at identified IS components. This includes monitoring, for example, of
I/O and endpoint services.
Click here to enter text.
192
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Disseminates security alerts, advisories, and directives to Click here to enter text.
ISSM, ISSOs, and system administrators and security
personnel, as appropriate
Implements security directives in accordance with Click here to enter text.
established time frames, or notify the issuing
organization of the degree of noncompliance
10.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW BASELINE
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
The organization (a) Prohibits the use of binary or machine executable code from sources with limited or not warranty and
without the provision of source code; and (b) Provides exceptions to the source code requirement only for compelling
mission/operational requirements and with the approval of the AO.
Click here to enter text.
193
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
194
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
195
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Updates the plan to address organizational changes and Click here to enter text.
problems identified during plan implementation or
security control assessments; and
Protects the information security program plan from Click here to enter text.
unauthorized disclosure and modification.
196
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Ensure that information security resources are available Click here to enter text.
for expenditure as planned
The organization:
Implements a process for ensuring that plans of action Click here to enter text.
and milestones for the security program and associated
organizational information systems: (1) Are developed
and maintained; (2) Document the remedial information
security actions to adequately respond to risk to
organizational operations and assets, individuals, other
197
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Each ISSM is required to maintain an inventory of information systems under its purview; ensuring information related to
the number, size, and mission information system is maintained.
Click here to enter text.
Information security measures monitor the accomplishment of goals and objectives by quantifying the implementation,
efficiency, and effectiveness of security controls; analyzing the adequacy of information security program activities;
identifying possible improvement actions.
198
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
Identifying and documenting critical infrastructure and key resources provides the organization with the fundamental
understanding of what assets need protection, at what level, ensures focus on the mission/business objectives, and supports
contingency planning [CP-2].
Click here to enter text.
199
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization:
Develops a comprehensive strategy to manage risk to Click here to enter text.
organizational operations and assets, individuals, other
organizations, and the Nation associated with the
operation and use of information systems;
Implements the risk management strategy consistently Click here to enter text.
across the organization;
Reviews and updates the risk management strategy at Click here to enter text.
least annually or as required to address organizational
changes
The organization:
Manages (i.e., documents, tracks, and reports) the The ISSM manages the process for Facility.
security state of organizational IS and the environments
in which those systems operate through the security
authorization process
Designates individuals to fulfill specific roles and Click here to enter text.
responsibilities within the organizational risk
management process (i.e., ISSM/ISSO)
Fully integrates the security authorization processes into Click here to enter text.
an organization-wide risk management program
200
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
201
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization:
Implements a process for ensuring that organizational Click here to enter text.
plans for conducting security testing, training, and
monitoring activities associated with organizational
information systems: (1) Are developed and maintained;
and (2) Continue to be executed in a timely manner
Reviews testing, training, and monitoring plans for Click here to enter text.
consistency with the organizational risk management
strategy and organization-wide priorities for risk response
actions
The organization establishes and institutionalizes contact with selected groups and associations within the security
community: a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency
with recommended security practices, techniques, and technologies; and c. To share current security-related information
including threats, vulnerabilities, and incidents.
202
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
Click here to enter text.
203