DSS RMF SSP Template M-L-L With Controls Overlays - 9 May 16 v5

System Security Plan (SSP)
Categorization: Moderate-Low-Low
Incorporates Classified, Closed Restricted Network/Local Area Network and Standalone Overlays
System Name Click here to enter text.

Registration#/Unique ID Click here to enter text.
Service/Agency Click here to enter text.
Report Prepared By Click here to enter text.
Version 5
Date 24 February 2020
System/Document Change Records
INSTRUCTIONS (DELETE IN FINAL DOCUMENT. The system changes provided within this table must be incorporated into the
security plan during the system’s re-authorization or when the system change is significant to completely invalidate the current
security plan.
SSP Revision Description of Changed Page(s) Date Entered BY
Number change
V1 Initial Document 25 Jan 16
Revised 09 May 16 TLB
ii
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
Review and Approval of Controls

The signatories below have reviewed and approved this System Security Plan (SSP).
SCA
Enter Name
X_____________________________________________
DAO-REPRESENTATIVE
Enter Name
X_____________________________________________
iii
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): Click on the “Enter Name” entry below to type in the name.
Program & Cybersecurity/Information Assurance

Personnel
The signatories below attest that this System Security Plan (SSP) accurately reflects the security environment of the
organization and system addressed in this SSP.
FSO
Enter Name
X_____________________________________________
ISSM
Enter Name
X_____________________________________________
ISSO
Enter Name
X_____________________________________________
iv
Table of Contents
1
Background ............................................................................................................................................................................. 1
2 Applicability ............................................................................................................................................................................. 1
3 References .............................................................................................................................................................................. 1
4 Reciprocity .............................................................................................................................................................................. 1
5 System Identification .............................................................................................................................................................. 1
System Overview ........................................................................................................................................................... 1
Security Categorization ................................................................................................................................................. 1
5.2.1 Summary Results and Rationale .......................................................................................................................... 1
5.2.2 Categorization Detailed Results ........................................................................................................................... 1
Information Impact Categorization ..................................................................................................................................... 1
5.2.2.1 System Security Impact Categorization........................................................................................................... 1
5.2.2.2 Risk Adjusted System Impact Categorization .................................................................................................. 2
5.2.3 Control Selection ................................................................................................................................................. 2
6 Key Roles and Responsibilities ................................................................................................................................................ 2
Risk Management .......................................................................................................................................................... 2
IA Support Personnel ..................................................................................................................................................... 3
7 System Environment ............................................................................................................................................................... 4
Physical Environment .................................................................................................................................................... 4
Facility/System Layout ................................................................................................................................................... 4
Personnel Authorizations .............................................................................................................................................. 4
System Classification Level(s) & Compartment(s) ......................................................................................................... 4
Unique Data Handling Requirements ............................................................................................................................ 5
Information Access Policies ........................................................................................................................................... 5
8 General System Description/Purpose ..................................................................................................................................... 5
System Description ........................................................................................................................................................ 5
System Architecture ...................................................................................................................................................... 5
Functional Architecture ................................................................................................................................................. 5
User Roles and Access Privileges ................................................................................................................................... 5
9 Interconnections ..................................................................................................................................................................... 5
Direct Network Connections ......................................................................................................................................... 5
Indirect Connections/Information Sharing .................................................................................................................... 6
Memoranda of Understanding (MOU), Memoranda of Agreement (MOA), Co-Utilization Agreements (CUA) and
Interconnection Security Agreements (ISA) ................................................................................................................................. 6
10 Baseline Security Controls ....................................................................................................................................................... 2
Summary Listing of Required Controls for a Moderate – Low – Low (M-L-L) Baseline.................................................. 2
Access Control (AC) ....................................................................................................................................................... 2
10.2.1 AC-1 – Access Control Policy and Procedures Requirements .............................................................................. 2
10.2.2 AC-2 – Account Management (+ Privacy Overlay) ............................................................................................... 2
10.2.2.1 AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay) ......... 3
10.2.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay) ...... 4
10.2.2.3 AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay) .................................... 4
10.2.2.4 AC-2(4) – Account Management: Automated Audit Actions ......................................................................... 5
10.2.2.5 AC-2(5) – Account Management: Inactivity Logout ....................................................................................... 5
10.2.2.6 AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay)............................................. 5
10.2.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts (+ Privacy Overlay) –
NEW BASELINE..................................................................................................................................................................... 6
10.2.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE ......... 6
10.2.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE .............................. 7
10.2.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals (+ Privacy Overlay) – NEW
BASELINE 7
10.2.3 AC-3 – Access Enforcement (+ Privacy Overlay) .................................................................................................. 7
10.2.3.1 AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE ......................... 8
v
10.2.3.2 AC-3 (3) – Access Enforcement: Mandatory Access Control ............................ Error! Bookmark not defined.
10.2.3.3 AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay) . 8
10.2.3.4 AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated
into MP-4 and SC-28 ............................................................................................................................................................ 9
10.2.4 AC-4 – Information Flow Enforcement ................................................................................................................ 9
10.2.4.1 AC-4 (1) – Information Flow Enforcement: Object Security Attributes ............ Error! Bookmark not defined.
10.2.4.2 AC-4 (9) – Information Flow Enforcement: Human Reviews ............................ Error! Bookmark not defined.
10.2.5 AC-5 – Separation of Duties (+ Classified Overlay)............................................................................................... 9
10.2.6 AC-6 – Least Privilege (+ Classified & Privacy Overlay) ...................................................................................... 10
10.2.6.1 AC-6(1) – Least Privilege: Authorize Access to Security Functions ............................................................... 11
10.2.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions .............................................. 11
10.2.6.3 AC-6(5) – Least Privilege: Privileged Accounts ............................................................................................. 12
10.2.6.4 AC-6(7) – Least Privilege: Review of User Privileges (+ Classified & Privacy Overlay) (- Standalone Overlay)
– NEW BASELINE ................................................................................................................................................................ 12
10.2.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE ......................................... 12
10.2.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE ....................................... 13
10.2.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW
BASELINE 13
10.2.7 AC-7 – Unsuccessful Login Attempts ................................................................................................................. 14
10.2.7.1 AC-7 (2) – Unsuccessful Logon Attempts: Purge-Wipe Mobile Device (+ Classified & Intelligence Overlay)
Error! Bookmark not defined.
10.2.8 AC-8 – System Use Notification ......................................................................................................................... 14
10.2.9 AC-9 – Previous Logon (Access) Notification (+ Classified) – NEW......................... Error! Bookmark not defined.
10.2.10 AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINE ................................................. 15
10.2.11 AC-11 – Session Lock (+ Classified) .................................................................................................................... 15
10.2.11.1 AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay) ...................................................... 16
10.2.12 AC-12 – Session Termination – NEW BASELINE ................................................................................................. 16
10.2.12.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE .................... 17
10.2.13 AC-14 – Permitted Actions without Identification or Authentication ................................................................ 17
10.2.13.1 AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN
Incorporated into AC-14 .................................................................................................................................................... 18
10.2.14 AC-16 – Security Attributes (+ Classified & Privacy Overlay) – NEW BASELINE ................................................. 18
10.2.14.1 AC-16(3) – Security Attributes: Maintenance of Attribute Associations by Information System (+ Privacy
Overlay) - NEW ...................................................................................................................... Error! Bookmark not defined.
10.2.14.2 AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW .......... 19
10.2.14.3 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay)
– NEW 19
10.2.14.4 AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone
Overlay) – NEW ................................................................................................................................................................. 19
10.2.15 AC-17 – Remote Access (- Standalone & CRN Overlay)...................................................................................... 20
10.2.15.1 AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay) ....................... 20
10.2.15.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN
Overlay) 21
10.2.15.3 AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay) ........................ 21
10.2.15.4 AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay) .......................... 21
10.2.15.5 AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay) ................................ 22
10.2.15.6 AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated
Into AC-3(10) ..................................................................................................................................................................... 22
10.2.15.7 AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7 22
10.2.15.8 AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE .............. 22
10.2.16 AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay) ............................................................. 23
10.2.16.1 AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay) ...................................... 23
10.2.16.2 AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4 24
10.2.16.3 AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay) ... 24
10.2.16.4 AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)
24
10.2.17 AC-19 – Access Control for Mobile Devices (+ Classified) .................................................................................. 25
vi
10.2.17.1 AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN
Incorporated Into MP-7 ..................................................................................................................................................... 25
10.2.17.2 AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices
WITHDRAWN Incorporated Into MP-7 .............................................................................................................................. 25
10.2.17.3 AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner
WITHDRAWN Incorporated Into MP-7 .............................................................................................................................. 25
10.2.17.4 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay)
– NEW BASELINE ................................................................................................................................................................ 25
10.2.18 AC-20 – Use of External Information Systems (+ Classified) .............................................................................. 26
10.2.18.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified & Privacy Overlay)
(- Standalone & CRN Overlay) ............................................................................................................................................ 26
10.2.18.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay) (- CRN
Overlay) 27
10.2.18.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-
Devices (+ Classified) – NEW BASELINE ............................................................................................................................. 28
10.2.18.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay)
(- Standalone Overlay) – NEW ........................................................................................................................................... 28
10.2.19 AC-21 – Information Sharing () .......................................................................................................................... 28
10.2.19.1 AC-21 (1) – Information Sharing: Automated Decision Support ...................... Error! Bookmark not defined.
10.2.20 AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay) .................................................................. 29
10.2.21 AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE................................... 30
Awareness and Training (AT) ....................................................................................................................................... 32
10.3.1 AT-1 – Security Awareness & Training Policy and Procedures ........................................................................... 32
10.3.2 AT-2 – Security Awareness (+ Classified) ........................................................................................................... 32
10.3.2.1 AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE ................................ 33
10.3.3 AT-3 – Role-Based Security Training .................................................................................................................. 33
10.3.3.1 AT-3(2) – Security Training: Physical Security Controls ................................................................................ 34
10.3.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE
34
10.3.4 AT-4 – Security Training Records ....................................................................................................................... 34
10.3.5 AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5 ...................... 35
Audit and Accountability (AU) ..................................................................................................................................... 36
10.4.1 AU-1 – Audit and Accountability Policy and Procedures.................................................................................... 36
10.4.2 AU-2 – Auditable Events .................................................................................................................................... 36
10.4.2.1 AU-2(3) – Auditable Events: Reviews and Updates ...................................................................................... 37
10.4.2.2 AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9) .............................. 38
10.4.3 AU-3 – Content of Audit Records (+ Privacy Overlay) ........................................................................................ 38
10.4.3.1 AU-3(1) – Content of Audit Records: Additional Audit Information ............................................................. 39
10.4.4 AU-4 – Audit Storage Capacity (+ Privacy Overlay) (- Standalone Overlay) ....................................................... 39
10.4.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE .............. 40
10.4.5 AU-5 – Response to Audit Processing Failures (- Standalone Overlay) .............................................................. 40
10.4.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay) ............. 41
10.4.6 AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay) ................................................................. 41
10.4.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay) .................... 42
10.4.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories (+ Privacy Overlay) (-
Standalone Overlay) .......................................................................................................................................................... 42
10.4.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW
BASELINE 42
10.4.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified
Overlay) – NEW ................................................................................................................................................................. 43
10.4.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified
Overlay) – NEW ................................................................................................................................................................. 43
10.4.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources
(+ Classified Overlay) – NEW ............................................................................................................................................. 43
10.4.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE .................... 44
10.4.7 AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay) ............................ 44
10.4.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay) ............ 45
10.4.8 AU-8 – Time Stamps........................................................................................................................................... 45
vii
10.4.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay) ........ 46
10.4.9 AU-9 – Protection of Audit Information (+ Privacy Overlay) .............................................................................. 46
10.4.9.1 AU-9(2) – Protection of Audit Information: Audit Backup on Separate Physical Systems/Components Error!
Bookmark not defined.
10.4.9.2 AU-9(3) – Protection of Audit Information: Cryptographic Protection (+ Privacy Overlay) - NEW .........Error!
10.4.9.3 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay) .. 46
10.4.10 AU-10 – Non-Repudiation - NEW ........................................................................... Error! Bookmark not defined.
10.4.10.1 AU-10(1) – Non-Repudiation: Association of Identities ................................... Error! Bookmark not defined.
10.4.10.2 AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into
SI-7 47
10.4.11 AU-11 – Audit Record Retention ........................................................................................................................ 47
10.4.11.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE ............................... 47
10.4.12 AU-12 – Audit Generation (+ Classified Overlay) ............................................................................................... 48
10.4.12.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE .......................... 48
10.4.12.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE................................... 49
10.4.13 AU-13 – Monitoring for Information Disclosure .................................................... Error! Bookmark not defined.
10.4.14 AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE ......................................................................... 49
10.4.14.1 AU-14(1) – Session Audit: System Start-Up – NEW BASELINE ...................................................................... 49
10.4.14.2 AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE ........................................... 50
10.4.14.3 AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE...................................................... 50
10.4.15 AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW ................................................................ 50
10.4.15.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW ................... 51
10.4.15.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW ...... 51
Security Assessment and Authorization (CA) .............................................................................................................. 52
10.5.1 CA-1 – Security Assessment and Authorization Policies & Procedures .............................................................. 52
10.5.2 CA-2 – Security Assessments ............................................................................................................................. 52
10.5.2.1 CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay) ........................................ 53
10.5.3 CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay) .................................... 53
10.5.3.1 CA-3(1) – Information System Connections: Unclassified National Security System Connections (-
Standalone & CRN Overlay) ............................................................................................................................................... 54
10.5.3.2 CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified
Overlay) (- Standalone & CRN Overlay) ............................................................................................................................. 55
10.5.3.3 CA-3(3) – Information System Connections: Unclassified Non-National Security System Connections (+
Privacy Overlay) – NEW ......................................................................................................... Error! Bookmark not defined.
10.5.3.4 CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW
BASELINE 55
10.5.4 CA-5 – Plan of Action & Milestones ................................................................................................................... 55
10.5.5 CA-6 – Security Authorization ............................................................................................................................ 56
10.5.6 CA-7 – Continuous Monitoring .......................................................................................................................... 57
10.5.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay) ................................. 58
10.5.7 CA-9 – Internal System Connections – NEW BASELINE ...................................................................................... 58
Configuration Management (CM) ............................................................................................................................... 59
10.6.1 CM-1 – Configuration Management Policy and Procedures .............................................................................. 59
10.6.2 CM-2 – Baseline Configuration .......................................................................................................................... 59
10.6.2.1 CM-2(1) – Baseline Configuration: Reviews & Updates ............................................................................... 60
10.6.2.2 CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7 ............... 61
10.6.3 CM-3 – Configuration Change Control ............................................................................................................... 61
10.6.3.1 CM-3(4) – Configuration Change Control: Security Representative .............................................................. 61
10.6.3.2 CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW
BASELINE 62
10.6.4 CM-4 – Security Impact Analysis) ....................................................................................................................... 62
10.6.5 CM-5 – Access Restrictions for Change .............................................................................................................. 63
10.6.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (-
10.6.5.2 CM-5(6) – Access Restrictions for Change: Limit Library Privileges .............................................................. 64
10.6.6 CM-6 – Configuration Settings ........................................................................................................................... 64
10.6.6.1 CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7. 65
viii
10.6.6.2 CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4 ... 65
10.6.7 CM-7 – Least Functionality ................................................................................................................................ 65
10.6.7.1 CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay) ...................................................... 66
10.6.7.2 CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay) .................................... 66
10.6.7.3 CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay)......................................... 66
10.6.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINE................................... 67
10.6.8 CM-8 – Information System Component Inventory ........................................................................................... 67
10.6.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) –
NEW BASELINE................................................................................................................................................................... 68
10.6.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (-
Standalone Overlay) – NEW BASELINE .............................................................................................................................. 68
10.6.9 CM-9 – Configuration Management Plan .......................................................................................................... 69
10.6.10 CM-10 – Software Usage Restrictions – NEW BASELINE .................................................................................... 69
10.6.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE .................................... 70
10.6.11 CM-11 – User Installed Software – NEW BASELINE ........................................................................................... 70
10.6.11.1 CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE ............ 71
Contingency Planning (CP)........................................................................................................................................... 72
10.7.1 CP-1 – Contingency Planning Policy and Procedures ......................................................................................... 72
10.7.2 CP-2 – Contingency Plan – Maybe tailorout based on contract requirements. ................................................. 72
10.7.3 CP-3 – Contingency Training .............................................................................................................................. 74
10.7.4 CP-4 – Contingency Plan Testing and Exercises ................................................................................................. 74
10.7.5 CP-6 - Alternate Storage Site (BASELINE) ............................................................... Error! Bookmark not defined.
10.7.6 CP-7 – Alternate Processing Site (- Standalone Overlay) ................................................................................... 75
10.7.6.1 CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN
Incorporated Into CP-7 ...................................................................................................................................................... 76
10.7.7 CP-9 – Information System Backup .................................................................................................................... 76
10.7.7.1 CP-9(1) – Information System Backup: Testing for Reliability/Integrity - BASELINE ...... Error! Bookmark not
defined.
10.7.8 CP-10 – Information System Recovery and Reconstitution ............................................................................... 77
Identification and Authentication (IA) ......................................................................................................................... 78
10.8.1 IA – 1 – Identification and Authentication Policy and Procedures ..................................................................... 78
10.8.2 IA-2 – Identification and Authentication (Organizational Users) (+ Classified) .................................................. 78
10.8.2.1 IA-2(1) – Identification and Authentication (Organizational Users): Network Access to Privileged Accounts
(+ Classified Overlay) (- Standalone Overlay) ........................................................................ Error! Bookmark not defined.
10.8.2.2 IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified
Overlay) (- Standalone Overlay) ........................................................................................................................................ 79
10.8.2.3 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay) .. 80
10.8.2.4 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone
Overlay) 80
10.8.2.5 IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay) ........................ 80
10.8.2.6 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (-
10.8.2.7 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged
Accounts – Replay Resistant (- Standalone Overlay) ......................................................................................................... 81
10.8.2.8 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (-
10.8.2.9 IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (-
10.8.3 IA-3 – Device Identification and Authentication (- Standalone Overlay) ........................................................... 83
10.8.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (-
10.8.3.2 IA-4 – Identifier Management ....................................................................................................................... 84
10.8.3.3 IIA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay) .......................................... 84
10.8.4 IA-5 – Authenticator Management .................................................................................................................... 85
10.8.4.1 IA-5(1) – Authenticator Management: Password-Based Authentication ..................................................... 86
10.8.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay) .......................... 87
10.8.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination ........... 87
10.8.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators ......................... 88
ix
10.8.4.5 IA-5(8) – Authenticator Management: Multiple Information System Accounts .......................................... 88
10.8.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE ............ 88
10.8.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW
BASELINE 89
10.8.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) –
NEW BASELINE................................................................................................................................................................... 89
10.8.5 IA-6 – Authenticator Feedback .......................................................................................................................... 90
10.8.6 IA-7 – Cryptographic Module Authentication .................................................................................................... 90
10.8.7 IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay) .......................... 90
10.8.7.1 IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials
from Other Agencies (- Standalone Overlay) – NEW BASELINE ......................................................................................... 91
10.8.7.2 IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party
Credentials (- Standalone Overlay) – NEW BASELINE ........................................................................................................ 91
10.8.7.3 IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products
(- Standalone Overlay) – NEW BASELINE ........................................................................................................................... 92
10.8.7.4 IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (-
Incident Response (IR) ................................................................................................................................................. 93
10.9.1 IR-1 – Incident Response Policy and Procedures ............................................................................................... 93
10.9.2 IR-2 – Incident Response Training ...................................................................................................................... 93
10.9.3 IR-3 – Incident Response Testing ....................................................................................................................... 94
10.9.3.1 IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE ..... 94
10.9.4 IR-4 – Incident Handling ..................................................................................................................................... 95
10.9.4.1 IR-4(1) – Incident Handling: Automated Incident Handling Processes ......................................................... 95
10.9.4.2 IR-4(3) – Incident Handling: Continuity of Operations ................................................................................. 96
10.9.4.3 IR-4(4) – Incident Handling: Information Correlation .................................................................................. 96
10.9.4.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE ................................. 96
10.9.4.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE .............. 97
10.9.4.6 IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE ............................... 97
10.9.5 IR-5 – Incident Monitoring ................................................................................................................................. 98
10.9.6 IR-6 – Incident Reporting ................................................................................................................................... 98
10.9.6.1 IR-6(1) – Incident Reporting: Automated Reporting .................................................................................... 99
10.9.6.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents ................................................................ 99
10.9.7 IR-7 – Incident Response Assistance ................................................................................................................ 100
10.9.7.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information ................... 100
10.9.7.2 IR-7(2) – Incident Response Assistance: Coordination with External Providers ......................................... 100
10.9.8 IR-8 – Incident Response Plan .......................................................................................................................... 101
10.9.9 IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINE ................................................ 101
10.9.9.1 IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE 102
10.9.9.2 IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE ....................... 102
10.9.9.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW
BASELINE 103
10.9.10 IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE ......................................... 103
Maintenance (MA) .................................................................................................................................................... 104
10.10.1 MA-1 – System Maintenance Policy and Procedures ...................................................................................... 104
10.10.2 MA-2 – Controlled Maintenance ..................................................................................................................... 104
10.10.3 MA-3 – Maintenance Tools .............................................................................................................................. 105
10.10.3.1 MA-3(1) – Maintenance Tools: Inspect Tools............................................................................................. 105
10.10.3.2 MA-3(2) – Maintenance Tools: Inspect Media ........................................................................................... 105
10.10.3.3 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay) ............................. 106
10.10.4 MA-4 – Non-Local Maintenance (- Standalone Overlay) ................................................................................. 106
10.10.4.1 MA-4(1) – Non-Local Maintenance: Auditing and Review ......................................................................... 107
10.10.4.2 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay) ................ 107
10.10.4.3 MA-4(6) – Non-Local Maintenance: Cryptographic Protection (+ Privacy Overlay) (- Standalone Overlay)
108
10.10.4.4 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay) ................... 108
10.10.5 MA-5 – Maintenance Personnel ...................................................................................................................... 109
10.10.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay) ......... 109
x
10.10.5.2 MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems ....................................... 110
10.10.5.3 MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems .............................. 110
10.10.5.4 MA-5(4) – Maintenance Personnel: Foreign Nationals .............................................................................. 111
Media Protection (MP) .............................................................................................................................................. 112
10.11.1 MP-1 – Media Protection Policy and Procedures ............................................................................................ 112
10.11.2 MP-2 – Media Access (+ Classified) .................................................................................................................. 112
10.11.2.1 MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28 .................... 112
10.11.3 MP-3 – Media Marking (+ Classified) ............................................................................................................... 112
10.11.4 MP-4 – Media Storage (+ Classified) ................................................................................................................ 113
10.11.5 MP-5 – Media Transport (+ Classified) ............................................................................................................. 114
10.11.5.1 MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW ....................................................... 114
10.11.5.2 MP-5(4) – Media Transport: Cryptographic Protection (+ Classified) ........................................................ 115
10.11.6 MP-6 – Media Sanitization (+ Classified) .......................................................................................................... 115
10.11.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified) ........................... 115
10.11.6.2 MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay) .................................................. 116
10.11.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay) .................................. 116
10.11.6.4 MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
117
10.11.6.5 MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6 .................. 117
10.11.6.6 MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6 ....................... 117
10.11.7 MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE ............................................................................. 117
10.11.7.1 MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE....................................................... 117
10.11.8 MP-8 – Media Downgrading (+ Classified Overlay) – NEW .............................................................................. 118
10.11.8.1 MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW ........................ 118
10.11.8.2 MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW .................................... 119
10.11.8.3 MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW ............................... 119
Physical and Environment Protection (PE) ................................................................................................................ 120
10.12.1 PE-1 – Physical and Environmental Protection Policy and Procedures ............................................................ 120
10.12.2 PE-2 – Physical Access Authorizations ............................................................................................................. 120
10.12.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW ....... 120
10.12.3 PE-3 – Physical Access Control ......................................................................................................................... 121
10.12.3.1 PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE ...................................... 121
10.12.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay) ........... 122
10.12.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay) ........... 122
10.12.4 PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay) ...................... 123
10.12.5 PE-5 – Access Control for Output Devices ....................................................................................................... 123
10.12.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW ...... 123
10.12.6 PE-6 – Monitoring Physical Access ................................................................................................................... 124
10.12.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE ......... 124
10.12.7 PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor
Identification – WITHDRAWN Incorporated into PE-2 and PE-3 .......................................................................................... 125
10.12.8 PE-8 – Access Records ...................................................................................................................................... 125
10.12.9 PE-12 – Emergency Lighting ............................................................................................................................. 125
10.12.10 PE-13 – Fire Protection .................................................................................................................................... 125
10.12.11 PE-14 – Temperature and Humidity Controls .................................................................................................. 126
10.12.12 PE-15 – Water Damage Protection .................................................................................................................. 126
10.12.13 PE-16 – Delivery and Removal ......................................................................................................................... 127
10.12.14 PE-17 – Alternate Work Site ............................................................................................................................ 127
10.12.15 PE-19 – Information Leakage (+ Classified Overlay) ......................................................................................... 128
10.12.15.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified
Overlay) 128
Planning (PL) .............................................................................................................................................................. 129
10.13.1 PL-1 – Security Planning Policy and Procedures .............................................................................................. 129
10.13.2 PL-2 – System Security Plan ............................................................................................................................. 129
10.13.2.1 PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE ......................... 130
10.13.3 PL-4 – Rules of Behavior .................................................................................................................................. 131
10.13.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE ........................ 131
10.13.4 PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2................................. 132
xi
10.13.5 PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2 .......................................... 132
10.13.6 PL-8 – Information Security Architecture– NEW BASELINE ............................................................................. 132
10.13.6.1 PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE ..................................... 133
10.13.6.2 PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE .................................... 133
Personnel Security (PS) .............................................................................................................................................. 134
10.14.1 PS-1 – Personnel Security Policy and Procedures ............................................................................................ 134
10.14.2 PS-2 – Position Categorization ......................................................................................................................... 134
10.14.3 PS-3 – Personnel Screening .............................................................................................................................. 134
10.14.3.1 PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay) ............................................ 134
10.14.3.2 PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW
135
10.14.4 PS-4 – Personnel Termination (+ Classified) .................................................................................................... 135
10.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE
136
10.14.5 PS-5 – Personnel Transfer ................................................................................................................................ 136
10.14.6 PS-6 – Access Agreements ............................................................................................................................... 137
10.14.6.1 PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into
PS-3 138
10.14.6.2 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay) 138
10.14.6.3 PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE . 138
10.14.7 PS-7 – Third-Party Personnel Security ............................................................................................................. 139
10.14.8 PS-8 - Personnel Sanctions ............................................................................................................................... 139
Risk Assessment (RA) ................................................................................................................................................. 141
10.15.1 RA-1 – Risk Assessment Policy and Procedures ............................................................................................... 141
10.15.2 RA-2 – Security Categorization ........................................................................................................................ 141
10.15.3 RA-3 – Risk Assessment ................................................................................................................................... 141
10.15.4 RA-5 – Vulnerability Scanning .......................................................................................................................... 142
10.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool Capability ......................................................................... 143
10.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified .................. 143
10.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable Information ..................................................................... 144
10.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged Access .................................................................................. 144
10.15.4.5 RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components –
WITHDRAWN Incorporated into CM-8 ............................................................................................................................ 144
10.15.5 RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW ................................... 144
System and Services Acquisition ............................................................................................................................... 146
10.16.1 SA-1 – System and Services Acquisition Policy and Procedures....................................................................... 146
10.16.2 SA-2 – Allocation of Resources ........................................................................................................................ 146
10.16.3 SA-3 – System Development Life Cycle ............................................................................................................ 146
10.16.4 SA-4 – Acquisition Process ............................................................................................................................... 147
10.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE .................... 147
10.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone
Overlay) – NEW BASELINE ............................................................................................................................................... 148
10.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay) .................. 148
10.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE ................................ 149
10.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE.................... 149
10.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE 149
10.16.5 SA-5 – Information System Documentation .................................................................................................... 150
10.16.5.1 SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN
Incorporated into SA-4(1) ................................................................................................................................................ 151
10.16.5.2 SA-5(2) – Information System Documentation: Security Relevant External System Interfaces –
WITHDRAWN Incorporated into SA-4(2) ......................................................................................................................... 151
10.16.6 SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7 .................................. 151
10.16.7 SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7 ........................................ 151
10.16.8 SA-8 – Software Engineering Principles ........................................................................................................... 151
10.16.9 SA-9 – External Information System Services (- Standalone and CRN Overlay) ............................................... 151
10.16.9.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone
Overlay) 152
xii
10.16.9.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services –
NEW BASELINE................................................................................................................................................................. 152
10.16.9.3 SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy
Overlay) – NEW ............................................................................................................................................................... 153
10.16.10 SA-10 – Developer Configuration Management .............................................................................................. 153
10.16.10.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification ................. 154
10.16.11 SA-11 – Developer Security Testing and Evaluation ........................................................................................ 154
10.16.12 SA-12 – Supply Chain Protection...................................................................................................................... 155
10.16.13 SA-15 – Development Process, Standards and Tools – NEW BASELINE ........................................................... 155
10.16.13.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW
BASELINE 156
10.16.14 SA-17 – Developer Security Architecture and Design– NEW ........................................................................... 156
10.16.15 SA-19 – Component Authenticity – NEW BASELINE ........................................................................................ 157
Systems and Communications Protection (SC) .......................................................................................................... 158
10.17.1 SC-1 – Systems and Communications Protection Policy and Procedures ........................................................ 158
10.17.2 SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone) .............................................................. 158
10.17.3 SC-3 – Security Function Isolation (+ Classified Overlay) – NEW ..................................................................... 158
10.17.4 SC-4 – Information in Shared Resources (-Standalone Overlay) ...................................................................... 158
10.17.5 SC-5 – Denial of Service Protection (- Standalone and CRN Overlay) .............................................................. 159
10.17.6 SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay).................... 159
10.17.7 SC-7 – Boundary Protection (- Standalone and CRN Overlay) .......................................................................... 160
10.17.7.1 SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay) ........................................ 160
10.17.7.2 SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay) 161
10.17.7.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay) .... 161
10.17.7.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN
Overlay) 162
10.17.7.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN
Overlay) 162
10.17.7.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and
CRN Overlay) – NEW BASELINE........................................................................................................................................ 163
10.17.7.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay) ..... 163
10.17.7.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN
Overlay) 163
10.17.7.9 SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay) ........................ 164
10.17.7.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (-
Standalone and CRN Overlay).......................................................................................................................................... 164
10.17.7.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone
Overlay) 165
10.17.7.12 SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats ...................................... 165
10.17.8 SC-8 – Transmission Confidentiality and Integrity (+ Classified) ...................................................................... 166
10.17.8.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+
Classified ) – NEW BASELINE ............................................................................................................................................ 166
10.17.8.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay)
(- Standalone Overlay) – NEW BASELINE ......................................................................................................................... 167
10.17.8.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+
Classified Overlay) – NEW ............................................................................................................................................... 167
10.17.8.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified
Overlay) – NEW ............................................................................................................................................................... 167
10.17.9 SC-10 – Network Disconnect (- Standalone & CRN Overlay) ............................................................................ 168
10.17.10 SC-12 – Cryptographic Key Establishment and Management .......................................................................... 168
10.17.10.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) –
NEW 169
10.17.10.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) –
NEW 169
10.17.11 SC-13 – Cryptographic Protection (+ Classified) ............................................................................................... 169
10.17.11.1 SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN
Incorporated into SC-13 .................................................................................................................................................. 170
10.17.12 SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls .................................... 170
xiii
10.17.13 SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay) ....................................................... 170
10.17.13.1 SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic
WITHDRAWN Incorporated into SC-7 .............................................................................................................................. 171
10.17.13.2 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified
Overlay) (- Standalone & CRN Overlay) – NEW ............................................................................................................... 171
10.17.14 SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay) ............................................................. 171
10.17.15 SC-18 – Mobile Code ........................................................................................................................................ 172
10.17.15.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions ........................................ 172
10.17.15.2 SC-18(2) – Mobile Code: Acquisition/Development/Use ........................................................................... 172
10.17.15.3 SC-18(3) – Mobile Code: Prevent Downloading/Execution ........................................................................ 173
10.17.15.4 SC-18(4) – Mobile Code: Prevent Automatic Execution ............................................................................. 173
10.17.16 SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay) .................................................... 174
10.17.17 SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay) ...... 174
10.17.17.1 SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN
Incorporated into SC-20 .................................................................................................................................................. 175
10.17.18 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN
Overlay) 175
10.17.19 SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay) 175
10.17.20 SC-23 – Session Authenticity (- Standalone Overlay) ....................................................................................... 176
10.17.20.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay) .............. 176
10.17.20.2 SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into
AC-12(1) 176
10.17.20.3 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay) . 176
10.17.20.4 SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE
177
10.17.21 SC-28 – Protection of Information at Rest ....................................................................................................... 177
10.17.21.1 SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified) ............................... 178
10.17.22 SC-38 – Operations Security – NEW BASELINE................................................................................................. 178
10.17.23 SC-39 – Process Isolation – NEW BASELINE ..................................................................................................... 178
10.17.24 SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEW ................................................................... 179
10.17.24.1 SC-42(3 – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW .................. 179
System and Information Integrity (SI) ....................................................................................................................... 181
10.18.1 SI-1 – System and Information Integrity Policy and Procedures ...................................................................... 181
10.18.2 SI-2 – Flaw Remediation .................................................................................................................................. 182
10.18.2.1 SI-2(1) – Flaw Remediation: Central Management – NEW BASELINE ........................................................ 182
10.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status ............................................................ 183
10.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone
Overlay) 183
10.18.2.4 SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2 183
10.18.2.5 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE ....... 183
10.18.3 SI-3 – Malicious Code Protection ..................................................................................................................... 184
10.18.3.1 SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay) ................................... 185
10.18.3.2 SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay) ...................................... 185
10.18.3.3 SI-3(3) – Malicious Code Protection: Non-Privileged Users WITHDRAWN Incorporated into AC-6(10)...Error!
10.18.3.4 SI-3(5) – Malicious Code Protection: Portable Storage Devices – WITHDRAWN Incorporated into MP-7
Error! Bookmark not defined.
10.18.3.5 SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE...................................... 185
10.18.4 SI-4 – Information System Monitoring ............................................................................................................. 186
10.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay)
186
10.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay)
187
10.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone
Overlay) 187
10.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay) .................... 188
10.18.4.5 SI-4(6) – Information System Monitoring: Restrict Non-Privileged Users WITHDRAWN Incorporated into
AC-6(10) Error! Bookmark not defined.
xiv
10.18.4.6 SI-4(8) – Information System Monitoring: Protection of Monitoring Information WITHDRAWN
Incorporated into SI-4............................................................................................................ Error! Bookmark not defined.
10.18.4.7 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay)
– NEW BASELINE .............................................................................................................................................................. 188
10.18.4.8 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone &
CRN Overlay) ................................................................................................................................................................... 188
10.18.4.9 SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay) ............................. 189
10.18.4.10 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay) ............ 189
10.18.4.11 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay)
190
10.18.4.12 SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay) .... 190
10.18.4.13 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW
BASELINE 190
10.18.4.14 SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINE........................................... 191
10.18.4.15 SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW ............... 191
10.18.4.16 SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW
BASELINE 192
10.18.4.17 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE
192
10.18.5 SI-5 – Security Alerts, Advisories, and Directives ............................................................................................. 192
10.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW
BASELINE 193
10.18.6 SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINE .............................................. 193
10.18.7 SI-11 – Error Handling ...................................................................................................................................... 194
10.18.8 SI-12 – Information Handling and Retention ................................................................................................... 194
Program Management (PM) – NEW BASELINE .......................................................................................................... 196
10.19.1 PM-2 – Senior Information Security Officer ..................................................................................................... 196
10.19.2 PM-3 – Information Security Resources .......................................................................................................... 197
10.19.3 PM-4 – Plan of Action and Milestones Process ................................................................................................ 197
10.19.4 PM-5 – Information System Inventory ............................................................................................................. 198
10.19.5 PM-6 – Information Security Measures of Performance ................................................................................. 198
10.19.6 PM-7 – Enterprise Architecture ....................................................................................................................... 199
10.19.7 PM-8 – Critical Infrastructure Plan................................................................................................................... 199
10.19.8 PM-9 – Risk Management Strategy.................................................................................................................. 200
10.19.9 PM-10 – Security Authorization Process .......................................................................................................... 200
10.19.10 PM-11 – Mission/Business Process Definition ................................................................................................. 201
10.19.11 PM-12 – Insider Threat Program ...................................................................................................................... 201
10.19.12 PM-13 – Information Security Workforce ........................................................................................................ 201
10.19.13 PM-14 – Testing, Training, and Monitoring ..................................................................................................... 202
10.19.14 PM-15 – Contact with Security Groups and Associations ................................................................................ 202
10.19.15 PM-16 – Threat Awareness Program ............................................................................................................... 203
xv
INSERT LEVEL OF CLASSIFICATION. NOTE: OTHER THAN UNCLASSIFIED WILL REQUIRE PORTION MARKINGS
BACKGROUND
With the transition to Risk Management Framework (RMF) within NISP, all systems requiring authorization or re-authorization
after March 2017 will follow the RMF methodology for Local Area Networks, Wide Area Networks and Interconnected Systems.
2. This document is based on the DSS Assessment and Authorization Manual (DAAPM)
For the purposes of Information Systems (IS), this SSP incorporates the content of the Security Controls Traceability Matrix
(SCTM) and an IA SOP.
2 APPLICABILITY
This template is applicable to all Information Systems (IS) that store, process and/or transmit classified information.
3 REFERENCES
This document is based on the following references:
 NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, Revision 4, Apr 13
 CNSSI 1253, Security Categorization and Control Selection for National Security Systems, 12 May 14
4 RECIPROCITY
Reciprocity is defined as a “Mutual agreement among participating enterprises to accept each other’s security assessments in
order to reuse information system resources and/or to accept each other’s assessed security posture in order to share
information.” [CNSSI 4009]
This agreement, however, does not imply blind acceptance. The body of evidence used for assessments of the subject system
will be provided to the other participant(s) who have a vested interest in establishing a mutual agreement. The receiving party
will review the assessment evidence (e.g., system security plan (SSP), test plans, test procedures, test reports, exceptions) and
determine if there are any deltas in the evidence, (e.g., baseline/overlay controls that were tailored, a test item that was
omitted), and identify items that may require negotiations.
Reciprocity means that the system(s) will not be retested or undergo another full assessment. In the spirit of reciprocity, the
existing assessments will be accepted; only controls, test items or other pertinent items that were initially omitted are subject
to evaluation/testing to assure the system meets any additional protections required for a successful reciprocal agreement.
1
5 SYSTEM IDENTIFICATION
INSTRUCTIONS (DELETE IN FINAL DOCUMENT): All of the pre-printed text instructions, e.g., sentences that start with insert,
summarize or click here to insert text are content boxes. Click on the words to open the box and enter the text. SYSTEM
OVERVIEW
System Name Click here to enter text.
Unique Identifier Insert the organization defined unique identifier assigned to the system (e.g. CASTS
registration number). (If no number is assigned, leave blank.
Type of Information System Standalone
(Check One) Multi-User Standalone
Closed Restricted Network (Local Area Network)
Wide Area Network
Interconnected System – Contractor-to-Contractor
Interconnected System – Contractor-to-Government
Other:
Type of Plan: SSP
MSSP (Type Authorization)
The system is in the life-cycle phase noted in the table below.
System Status (Check One)
Operational The system is operating and in production.
Under Development The system is being designed, developed, or implemented
Major Modification The system is undergoing a major change, development, or transition.
Other Explain: Click here to enter text.
SECURITY CATEGORIZATION
5.2.1 Summary Results and Rationale
Summarize information in the sections below; e.g., System X is categorized as a Moderate-Low-Low system processing xxx
information types. A risk analysis indicated that no risk adjustment tailoring was required.
5.2.2 Categorization Detailed Results

Instruction (DELETE IN FINAL DOCUMENT): Record your information types in the table that follows. Record the sensitivity level
for Confidentiality, Integrity, and Availability as High, Moderate, or Low. Add more rows as needed to add more information
types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision
1 for guidance.
Information Impact Categorization

CNSSI 1253 Reference: 2.1.1
DAA PM Reference:
Information Impact Categorization
Information Type Confidentiality Impact Integrity Impact Availability Impact Authority
<e.g., Administrative> Choose an item. Choose an item. Choose an item. e.g., ISO
<e.g., Engineering> Choose an item. Choose an item. Choose an item. e.g., .ISO
Click here to enter text. Choose an item. Choose an item. Choose an item. e.g., SCG
5.2.2.1 System Security Impact Categorization

Instruction (DELETE IN FINAL DOCUMENT): Based on the information types in the above table, select the highest value for each
information type and enter into the table below.
1
DAA PM Reference:
Final System Impact Categorization
Confidentiality Impact Integrity Impact Availability Impact Authority
Choose an item. Choose an item. Choose an item. e.g., ISO, SCG
5.2.2.2 Risk Adjusted System Impact Categorization

DAA PM Reference: 2.1.3
Risk Adjusted System Impact Categorization
Confidentiality Impact Integrity Impact Availability Impact Authority
Choose an item. Choose an item. Choose an item. e.g., AO, REF, ISO, SCG
5.2.3 Control Selection

Instruction (DELETE IN FINAL DOCUMENT): Following ISO, SCA, and AO discussions on control selection, identify the applicable
baseline and overlays as appropriate. Fill in the appropriate baseline and overlay(s). The Accessibility, CRN, Classified, Privacy,
and Standalone overlays are included and individual controls added/removed by the overlays are identified and may require
action.
DAA PM Reference:
Baseline:
e.g., Moderate-Low-Low (MLL)
Overlays (Select/Add all that apply):
X Closed Restricted Network /Local Area Network
X Classified Information Overlay
X Standalone
6 KEY ROLES AND RESPONSIBILITIES

Instruction (DELETE IN FINAL DOCUMENT): Add, modify or delete the roles and responsibilities below as required for the
specific organization. Detailed information regarding the requirements for each of these roles is further defined in the DAA PM.
RISK MANAGEMENT
Delegated Authorizing Official (DAO)
Name: Click here to enter text.
Organization: Click here to enter text.
Address: Click here to enter text.
Phone: Click here to enter text.
Email: Click here to enter text.
Delegated AO-Representative (DAO-R)

System Certifying Authority (SCA)

Information Owner/Steward
2

Information System Owner (ISO)/Program Manager (PM)

IA SUPPORT PERSONNEL
Instruction (DELETE IN FINAL DOCUMENT): The site maintains copies of the IA Appointment Letters for all IA Personnel on file
available for review. Additional IA personnel, such as the Information Assurance Support Officer (IASO) may be added.
Information System Security Manager (ISSM)

8570 Profile Click here to enter text.
8570 Baseline Certification Click here to enter text.
System Administrator/Network Administrator (SA/NA)

Data Transfer Agent (DTA)/Trusted Download

Transfer Risk Level (High or Low): Click here to enter text.
3
7 SYSTEM ENVIRONMENT
PHYSICAL ENVIRONMENT
NIST 800-53/DAA PM Reference: PE-3
Is the secure facility accredited or approved to process and Yes
store information at the level covered by this SSP? No
Who accredited or approved the facility? Organization: Name:
Indicate if the facility is a Closed, or Restricted Area. Closed Date of Approval Click here to enter text.
Restricted Date of Approval Click here to enter
text.
Both Date of Approval Click here to enter text.
State the classification level approved for the facility, as well Secret NATO Others
as any caveats applied to the information. Top Secret RD COMSEC
Is the system approved for unattended processing? Yes

No
Is the facility approved for 24-hour operation? Yes
No
Is the facility approved for Open or Closed storage? Opened
Closed
List all items approved for Open Storage: Click here to enter text.
List all items restricted to Closed Storage: Click here to enter text.
Are classified and lower classified systems co-located within NIPRNet/NMCI/Internet Others
the facility? (If yes, complete the box to the right.) SIPRNet _______________
JWICS _______________
If there are co-located systems, what is the date of their Others
ATO? (Retain copies of the co-located system ATOs on file.) Click here to enter text. Click here to enter text.
System Click here to enter text. _______________
System Click here to enter
text.
Is a PDS required to support this connection Yes Approval Date:
No
FACILITY/SYSTEM LAYOUT
Insert diagram or include as an attachment.
PERSONNEL AUTHORIZATIONS
NIST 800-53, Rev. 4/DAA PM Reference: AC-2
Minimum Clearance Minimum Access Citizenship Foreign National
Top Secret SAP Yes

Secret SCI No
Both
SYSTEM CLASSIFICATION LEVEL(S) & COMPARTMENT(S)

Classification Caveats Compartments
Secret None <XXX>
Top Secret NATO <XXX>
RD <XXX>
4
UNIQUE DATA HANDLING REQUIREMENTS

Instruction (DELETE IN FINAL DOCUMENT): Identify any unique handling requirements, e.g. NATO, NOFORN, NOCONTR, etc.>
Identify handling requirements/caveats.
INFORMATION ACCESS POLICIES

NIST 800-53, Rev. 4/DAA PM AC-2, 3
Reference:
Instruction (DELETE IN FINAL DOCUMENT): Insert or reference organizational or system-specific user access policies relevant to
information types maintained on the information system. If appropriate, policies may be included in or placed in an appendix
to the SSP. Access controls will be enforced or adjudicated through technical means to protect the information types (e.g.
DAC/MAC).
Insert any additional organizational or system-specific user access policies.
8 GENERAL SYSTEM DESCRIPTION/PURPOSE

SYSTEM DESCRIPTION
Instruction (DELETE IN FINAL DOCUMENT): Provide a summary description of the system, its purpose and function; include high
level description of the data flow, interconnected systems, operating system(s), key components, perimeter, information
system boundary, and user(s). Ensure appropriate classification guidance is provided.
NIST 800-53, Rev. 4/DAA PM Reference: PL-2
Enter System Description.
SYSTEM ARCHITECTURE
Instruction (DELETE IN FINAL DOCUMENT): Describe the system architecture. As needed, show the architecture within the
authorization boundary (e.g. servers, workstations, printers, etc.) in diagram form and place it in Appendix A. Either reference
the location of the hardware and software lists or insert in Appendices B and C.
Describe System Architecture.
FUNCTIONAL ARCHITECTURE
Instruction (DELETE IN FINAL DOCUMENT): Describe or provide a diagram of the functional architecture of the system, e.g. Data
Flow.
Describe functional architecture; e.g., data flow. Insert diagram if appropriate.
USER ROLES AND ACCESS PRIVILEGES

Instruction (DELETE IN FINAL DOCUMENT): List roles and privileges (e.g. Privileged User, General User, Database Administrator,
and Data Transfer Agent).
Role Name Authorized Privileges and Functions Performed
Click here to enter text. Click here to enter text. Click here to enter text.
9 INTERCONNECTIONS
DIRECT NETWORK CONNECTIONS
**NOTE: Direct network connections with external organizations, whether internal or external to the facility must be
addressed in an MOU/MOA and/or ISA. Indicate in Section 5.3.
NIST 800-53, Rev. 4/DAA PM Reference: PL-2, AC-17, CA-3

This system does not connect to any other system.
5
This system connects to following system(s):

SYSTEM NAME ORGANIZATION CLASSIFICATION/ ATO ISSUED BY DATE OF ATO
COMPARTMENTS
Click here to Click here to enter Click here to enter Click here to enter Click here to enter
enter text. text. text. text. text.
INDIRECT CONNECTIONS/INFORMATION SHARING

Instruction (DELETE IN FINAL DOCUMENT): This section refers to information received through means other than a direct
connection, e.g. “Sneaker Net.” Double click on the appropriate check boxes and change the default value to “checked.”
This system does not accept or process data stored on any other systems. i.e. No input from other systems into this
system.
This system accepts and processes data stored on media created on the following system(s) as part of its core mission
processes: Complete information below.
SYSTEM NAME CLASSIFICATION & ACCREDITED BY TRANSFER METHOD
COMPARTMENTS
Click here to enter text. Click here to enter text. Click here to enter text. Click here to enter text.
Data from this system is NOT shared or distributed to any other systems. i.e. No output from this system goes into
another system.
Data stored on media created on or used on this information system is distributed for use on the following system(s):
SYSTEM NAME CLASSIFICATION & ACCREDITED BY TRANSFER METHOD
COMPARTMENTS
MEMORANDA OF UNDERSTANDING (MOU), MEMORANDA OF AGREEMENT (MOA), CO-UTILIZATION

AGREEMENTS (CUA) AND INTERCONNECTION SECURITY AGREEMENTS (ISA)
Instruction (DELETE IN FINAL DOCUMENT): Copies of the MOUs/MOAs and/or ISA referenced in this table must be available to
the SCA for review during the verification and validation testing. NOTE: In the event of more than one MOU/MOA/CUA/ISA,
copy table and complete individually for each document.
This information system does not require any MOU/MOA, CUA, or ISA.
This information system requires an MOU/MOA, CUA, and/or ISA.
NIST 800-53, Rev. 4/DAA PM Reference: AC-20

Subject of MOU/MOA/CUA/ISA Click here to enter text.
Date of MOU/MOA/CUA/ISA Click here to enter text.
POC Name Click here to enter text.
Organization Click here to enter text.
Contact (phone or e-mail) Click here to enter text.
6
READ ME FIRST:
ALL new Baseline Controls are indicated with NEW BASELINE included in the title.
Overlays are included with guidance regarding possible actions on behalf of the Program. These overlays either add or
remove security controls based on the configuration of the information system and the requirements of the Program.
ALL overlays that apply to a specific control are indicated in the Security Control title. A “+” means that the control is
required by one or more overlays; a “–“indicates that the control may be tailored out based on one or more overlays.
CRITERIA FOR THE CLASSIFIED OVERLAY: The Classified Overlay applies to ALL classified NSS including DoD and IS
and is considered part of the DAA PM baseline control set. Controls identified in the Classified Overlay may not be
tailored out and must be addressed in the security control description. All new baseline controls based on the
Classified overlay will be indicated with NEW in the control title.
CRITERIA FOR THE STANDALONE OVERLAY: This overlay may be applied for any IS that are operated in a purely
(not networked) standalone configuration, e.g., a laptop, standalone PC. Security controls that can be tailored out
base on the Standalone Overlay are identified by a (- per Standalone Overlay) in red text in the control name. If
control is not relevant to the IS, check the “Tailored Out” box; no further explanation is required. NOTE: Some of
the controls can only be tailored out for standalone IS that have ONLY one user. These are specifically identified.
CRITERIA FOR IMPLEMENTATION OF THE ISOLATED LAN/CLOSED RESTRICTED NETWORK OVERLAY: This overlay
may be applied for any IS that is operated in an internal network configuration that is not connected in any way to
an external network or information system. Security controls that can be uniquely tailored out are identified by a
(- CRN Overlay). If control is not relevant to the IS, check the “Tailored Out” box; no further explanation is
required.
NOTE FOR ALL OVERLAYS: EACH PROGRAM IS RESPONSIBLE FOR REVIEWING EVERY CONTROL
IN THE BASELINE AND DETERMINING IF THAT CONTROL IS APPLICABLE, WHETHER OR NOT AN
OVERLAY ALLOWS IT TO BE TAILORED OUT OR RECOMMENDS THE SECURITY CONTROL BE
ADDED TO THE BASELINE.
The security impact categorization of the IS for confidentiality will NEVER be lower than Moderate. In some cases, the IS will
required enhanced security for confidentiality, integrity and/or availability. In that case, the categorization for one or all
categories can be raised (e.g., from Moderate to High or from Low to Moderate, etc.) or the organization may only require
the addition of one or more specific security controls at the elevated security impact level. If additional security controls are
required, these must be added to the template and marked as “Tailored In.”
There is a short description for each control, which provides guidance on the implementation of that control. In the control
descriptions, organizational parameters or specific requirements are indicated in bold print. Please describe the information
security control as it is implemented on your system in the white sections in the tables below. You may tailor security
controls in/out based on the security impact categorization, applied overlay(s), and adjustments based on the risk
assessment. Security controls added uniquely by an overlay are indicated with a plus and the name of the overlay requiring
the control. If the control can be tailored out or must be tailored in due to an overlay, this is reflected in red text for each
affected control.
The continuous monitoring strategy for each control must be explained. This may include such language as how and when
reviews are conducted
The recommended continuous monitoring frequency from the DAAPM is provided; however, this may require adjustment
based on Program operational requirements. A change to the recommended frequency requires DAO approval. The
CONMON Reporting Spreadsheet (see Continuous Monitoring Guide) is intended to be used to track the most current review
date. If the recommended frequency is changed, a justification must be provided in the control implementation description.
In the blank for continuous monitoring strategy, indicate the means by which the control will be monitored; e.g., use
automated scanning tool, review and update document, download screenshots, etc.
1
10 BASELINE SECURITY CONTROLS

SUMMARY LISTING OF REQUIRED CONTROLS FOR A MODERATE – LOW – LOW (M-L-L) BASELINE
The following list of controls is based on the DAA PM M-L-L baseline and the CNSSI 1253 NSS Security Control Baseline. These
sections include all of the control requirements from the Joint Implementation Guide (DAA PM) to include the organizationally-
defined parameters, as well as any additional regulatory requirements. The listing of controls is intended to provide sufficient
information required to define the security control requirements. Additional clarification regarding the security control
requirements can be found in the DAA PM.
The Programs are not required to develop additional policy and procedures to address the -1 security controls. The control
requirements are incorporated into the security controls and procedures within the body of the SSP.
ACCESS CONTROL (AC)

10.2.1 AC-1 – Access Control Policy and Procedures Requirements
Program-specific policies and procedures shall be included in the specific security controls listed below. There is no
requirement for the Program to develop additional policy to meet the -1 control.
Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.
Implementation Status:
Implemented Planned
Organizational Tailoring:
Compensatory Control (Provide justification below) Tailored In (Provide justification below)
Tailored Out (Provide justification below) Modified (Provide justification below)
Control Origination (check all that apply):
Common System Specific Hybrid (Common and System Specific)
Control: The organization:
a. Develops, documents, and disseminates to all authorized responsible personnel as required:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls;
and
b. Reviews and updates the current:
1. Access control policy annually or as policy and procedures dictate changes are required;
2. Access control procedures annually or as policy and procedures dictate changes are required.
CONTINUOUS MONITORING STRATEGY Click here to enter text.
10.2.2 AC-2 – Account Management
Implemented Planned
2

Organizations are responsible for managing information system accounts to include identifying account types and
procedures for creating, activating, modifying, and monitoring, disabling, and removing accounts. Definitions for types of
accounts can be found in DAA PM - AC-2. All accounts must be reviewed at least annually for changes in such items as staff
position, office symbol, contact information, transfer, etc. [AC-2.j] The validation process shall be documented. Disabled
accounts shall be terminated/removed within 12 months or after the next review cycle.
The organization manages information system accounts and:
Identifies and selects account types (i.e., individual, Click here to enter text.
group, system, application, guest/anonymous, and
temporary) as defined by the ISSM.
Assigns account managers for information system Click here to enter text.
accounts
Establishes conditions for group membership Click here to enter text.
Specifies authorized users of the information system, Click here to enter text.
group and role membership, and privileges and other
attributes for each account
Requires approvals by the ISSM/ISSO for requests to Click here to enter text.
establish accounts
Creates, enables, modifies, disables and removes Click here to enter text.
information system accounts in accordance with DAAPM
Monitors the use of information system accounts Click here to enter text.
Notifies account managers when (1) accounts are no Click here to enter text.
longer required, (2) when information system users are
terminated, transferred, and when (3) individual
information system usage or need-to-know/need-to
share changes
Authorizes access to the system based on: (1) a valid Click here to enter text.
access authorization; (2) intended system usage; and (3)
other attributes as required by the organization or
associated missions/business functions
Reviews accounts for compliance with at least annually, Click here to enter text.
if not otherwise defined in formal organizational policy
Establishes a process for reissuing shared/group account Click here to enter text.
credentials (if deployed) when individuals are removed
from the group
10.2.2.1 AC-2 (1) – Account Management: Automated System Account Management (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS.
Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.
Implemented Planned
3

The organization employs automated mechanisms to support the management of information system accounts. The use of
automated mechanisms can include using email or text messaging to automatically notify account managers when users are
terminated or transferred; to monitor account usage; or to report atypical account usage. When automated mechanisms
cannot be used, a manual process must be established and documented and will require explicit DAO approval.
Click here to enter text.
10.2.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay)

Implemented Planned
The information system automatically disables temporary and emergency accounts after not more than 72 hours.
10.2.2.3 AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay)

Implemented Planned
All password-accessible accounts must be disabled when information system users are terminated, transferred, or no longer
require access to the information resource in the performance of their assigned duties. The information system
automatically disables inactive accounts after a maximum of 90 days of inactivity. Accounts where the user has lost their
security clearance will be disabled immediately.
4
10.2.2.4 AC-2(4) – Account Management: Automated Audit Actions

Implemented Planned
The information system automatically audits account creation, modification, disabling, and termination actions and notifies,
as required, appropriate individuals. This control supports insider threat mitigation.
10.2.2.5 AC-2(5) – Account Management: Inactivity Logout

Implemented Planned
For any extended absence (more than six hours) and at the end of each workday, users are required to logout of all
systems. This control supports insider threat mitigation.
10.2.2.6 AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay)

After a relevance determination, this control can be tailored out for standalone IS with a single user.
Implemented Planned
5

The organization establishes and administers privileged accounts in accordance with a role-based scheme; monitors
privileged role assignments; and disables (or revokes) privileged access when privileged role assignments are no longer
appropriate. This control supports insider threat mitigation. Privileged roles also include the auditor and data transfer
agent (DTA).
10.2.2.7 AC-2(9) – Account Management: Restrictions on Use of Shared Groups/Accounts– NEW BASELINE

Implemented Planned
The organization only permits the use of shared/group accounts that are operationally essential and when explicitly
authorized by the DAO. This control supports insider threat mitigation.
10.2.2.8 AC-2(10) – Account Management: Shared/Group Account Credential Termination – NEW BASELINE
Implemented Planned
The information system terminates shared/group account credential when a member/members leave the group. This
control supports insider threat mitigation.
6
10.2.2.9 AC-2(12) – Account Management: Active Monitoring/Atypical Usage – NEW BASELINE

Implemented Planned
The organization (a) monitors information system accounts for atypical usage based on Program-unique requirements and
(b) reports atypical usage of information system accounts to the ISSM immediately upon detection. This control supports
insider threat mitigation.
10.2.2.10 AC-2(13) – Account Management: Disable Accounts for High-Risk Individuals– NEW BASELINE

Implemented Planned
The organization disables accounts of users posing a significant risk immediately or as soon as possible after discovery.
See also AU-6. This control supports insider threat mitigation.
10.2.3 AC-3 – Access Enforcement
Recommended Continuous Monitoring Frequency: Semi-Annual Program Frequency: Choose an item.

Implemented Planned
All information systems shall enforce approved authorizations for logical access to information and information system
resources in accordance with approved access control policies.
7
Additionally, all information systems shall, at a minimum, enforce a Discretionary Access Control (DAC) policy that:
Allows users to specify and control sharing by named Click here to enter text.
individuals or groups of individuals, or by both
Limits propagation of access rights Click here to enter text.

Includes or excludes access to the granularity of a single Click here to enter text.
user
10.2.3.1 AC-3(2) – Access Enforcement: Dual Authorization (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization enforces dual authorization for all transfers of data from a classified computer network to removable
media.
This includes the technical separation of roles (e.g., DTA and ISSM or designated representative etc.). Only trained Data
Transfer Agents (DTAs) are authorized to transfer data from a IS to removable media. Only ISSM and/or designated
representatives are authorized to enable permissions to transfer data to removable media. This control supports insider
threat mitigation.
Data transfer authorization enforcement can be performed by the organization, but should have technical separation of
roles to support the organization’s implemented dual authorization process. Example of implementation meeting the spirit
of AC-3(2): The organization policy states that appropriately trained Data Transfer/Trusted Download Agents are the only
individuals authorized to transfer data from a classified system to removable media and only the ISSM and/or designated
representatives are authorized to enable permissions to transfer removable media.
10.2.3.2 AC-3(4) – Access Enforcement: Discretionary Access Control (+ Classified Overlay) (- Standalone Overlay)
Implemented Planned
8

The IS enforces discretionary access control to include or exclude access to the granularity of a single user who may be
granted authorization to
a) Pass information to other subjects or objects;
b) Grant privileges to other subjects;
c) Change security attributes;
d) Choose security attributes for newly created or revised objects; and
e) Change rule governing access control when authorized. The assumption is that some user data/information in
organizational information systems is not shareable with other users who have authorized access to the same
systems. Address at a minimum: allow uses to specify and control sharing by named individuals or groups; limit
propagation of access rights; include or exclude access to the granularity of a single user.
10.2.3.3 AC-3(6) – Access Enforcement: Protection of User and System Information – WITHDRAWN Incorporated into MP-4 and
SC-28
10.2.4 AC-4 – Information Flow Enforcement

Implemented Planned
The information system enforces approved authorizations for controlling the flow of information within the system and
between interconnected systems.
Specific examples of flow control enforcement can be found in boundary protection devices (e.g., proxies, gateways, guards,
encrypted tunnels, firewalls, and routers). These devices employ rule sets or establish configuration settings that restrict
information system services, provide a packet-filtering capability based on header information, or provide message-filtering
capabilities based on content (e.g., using key word searches or document characteristics). Within the environment,
information flow control is provided by the infrastructure via the implementation of various boundary protection devices.
10.2.5 AC-5 – Separation of Duties (+ Classified Overlay)

Recommended Continuous Monitoring Frequency: Annual Program Frequency: Choose an item.
Implemented Planned
9

Insider threat mitigation requirements mandate that system administrators should not also perform security audit
administration functions without specific DAO approval and the implementation of compensatory measures. The Data
Transfer Agent (DTA) and the TPI Media Custodian shall not be the same individual. The organization:
Separates at a minimum duties of indivuiduals as Click here to enter text.
necessary
Documents separation of duties Click here to enter text.

Defines information system access authorizations to Click here to enter text.
support separation of duties
10.2.6 AC-6 – Least Privilege (+ Classified Overlay)

.
Implemented Planned
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on
behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business
functions.
The organization enforces the most restrictive set of rights/privileges or access needed by users for the performance of
specific tasks. The organization also ensures that users who must access Program information or records containing PII only
have access to the information necessary to perform their assigned tasks.
For example, system administrators, security administrators, and database administrators perform functions that do not
require use of their fully privileged account. They shall, therefore, use a separate general user account and are required to
use that account when not performing privileged functions. [AC-6(2)] Individual email accounts should not be used when
logged in as a privileged user. Other examples of least privilege include restricting access to audit logs to security auditors,
preventing general users from installing software, and/or limiting access to media drives to DTAs that have been formally
trained.
In accordance with Insider Threat Mitigation Guidance, ISSM will ensure that the number of privileged users is kept to a
minimum and conduct an internal review of all privileged users and their associated permissions quarterly and report to the
AO annually or if there has been a change in privileged users. Note: DTAs are considered privileged users with limited,
specific elevated privileges.
10
10.2.6.1 AC-6(1) – Least Privilege: Authorize Access to Security Functions

Implemented Planned
The organization explicitly authorizes access to systems and/or software that provide security relevant functions (e.g., USB
ports, I/O ports, CD/DVD drives, etc.). This control supports insider threat mitigation.
All classified information systems must technically enforce restrictions on the ability to write to removable media. By
default, all write functionality must be disabled. Whenever access to writable removable media is necessary, the write
functionality may be enabled, but this must be logged. After the write functions are completed, the write functionality must
again be disabled and logged.
Ensure media access is audited as indicated in AU-2.a. Limiting access to security functions to a limited set of authorized
personnel reduces the number of individuals able to perform security functions, such as configuring permissions, setting
audit logs, etc. At a minimum, all IS must technically enforce restrictions on the ability to write to removable media; e.g.,
all CD/DVD write functionality must be disabled by default and enabled only when required for the execution of an
approved data transfer.
10.2.6.2 AC-6(2) – Least Privilege: Non-Privileged Access for Non-Security Functions

This MLL baseline control is also required by the Privacy Overlay for IS that process, store or transmit privacy information.
Implemented Planned
The organization requires that users of information system accounts, or roles, with access to privileged functions use non-
privileged accounts, or roles when accessing other system functions, and if feasible, audits any use of privileged accounts or
roles for such functions. They shall, therefore, use a separate general user account and are required to use that account
when not performing privileged functions. Requiring users with elevated privileges to use separate accounts enables more
accurate audit of privileged user actions. Organizations should also establish a separate privileged account specific to DTA
activities. This control supports insider threat mitigation.
11
10.2.6.3 AC-6(5) – Least Privilege: Privileged Accounts

Implemented Planned
The organization limits privileged user accounts to the absolute minimum number of privileged users needed to manage the
system. In addition, super-user/root accounts shall be limited to the maximum extent possible. For example, not all
privileged users will be granted full super-user/root access.
10.2.6.4 AC-6(7) – Least Privilege: Review of User Privileges (+ Classified Overlay) (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The Presidential Memo, National Insider Threat Policy and Minimum Standards for Insider Threat Programs, November 21,
2012, and DoDD 5205.16, The DoD Insider Threat Program, 30 Sep 2014, require that organizations develop insider threat
programs to include reporting the status of privileged users (e.g., total number, additions, deletions) on a quarterly basis.
Programs will report to the Special Programs Office.
The organization:
Reviews at least annually the privileges assigned to Click here to enter text.
privileged user accounts to include the DTA to validate
the need for such privileges
Reassigns or removes privileges, if necessary to correctly Click here to enter text.
reflect organizational mission/business needs
10.2.6.5 AC-6(8) – Least Privilege: Privilege Levels for Code Execution – NEW BASELINE
Implemented Planned
12

The information system prevents all software applications/programs from executing at higher levels than users executing
the application/program.
Organizations shall maintain inventory of software in use and mechanism used to enforce and ensure this control.
Example: To maintain system integrity most systems restrict the ability of an application to install other software (including
reinstalling itself). Windows users (from Vista on) are familiar with User Account Control (UAC) popup or the need to right
click and "Run as Administrator" in order to install an application. Linux users are familiar with a "su" or "sudo" to root
privilege to install applications.
10.2.6.6 AC-6(9) – Least Privilege: Auditing Use of Privileged Functions – NEW BASELINE
Implemented Planned
The information system audits the execution of privileged functions.
Privileged functions have elevated permissions to access, or grant access to Program information and/or PII. Accountability
requires the ability to detect, trace, and audit privileged functions. The information system prevents all
applications/programs from executing at higher levels than users executing the application/program. This control supports
insider threat mitigation.
10.2.6.7 AC-6(10) – Least Privilege: Prohibit Non-Privileged Users from Executing Privileged Functions – NEW BASELINE
Implemented Planned
The information system prevents non-privileged users from executing privileged functions to include disabling,
circumventing, or altering implemented security safeguards/countermeasuresThis control supports insider threat mitigation.
13

10.2.7 AC-7 – Unsuccessful Login Attempts

Implemented Planned
The information system:
Enforces a limit of maximum of three (3) consecutive Click here to enter text.
invalid logon attempts by a user during a fifteen (15)
minute time period
Automatically locks the account/node until released by Click here to enter text.
an administrator when the account is supported locally;
or if not supported locally, after a period of not less
than 15 minutes when the maximum number of
unsuccessful attempts is exceeded. (Includes the
requirements of AC-7(1))
10.2.8 AC-8 – System Use Notification

Implemented Planned
Notice and Consent Banners: “Standard mandatory notice and consent banners must be displayed at logon to all ISs and
standard mandatory consent notice and consent provisions will be included in all IS user agreements in accordance with
applicable security controls and implementation procedures.” The most current required text for the banner and user
agreements is listed within the DAAPM.
Displays to users the DoD Information System Standard Click here to enter text.
Consent Banner before granting access to the system
that provides privacy and security notices consistent
with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, and guidance
and states that: Users are accessing a U.S. Government
14
information system; Information system usage may be

monitored, recorded, and subject to audit;
Unauthorized use of the information system is
prohibited and subject to criminal and civil penalties;
and Use of the information system indicates consent to
monitoring and recording; Retains the notification
message or banner on the screen until users
acknowledge the usage conditions and take explicit
actions by clicking on a box indicating “OK” to log on to
or to further access the information system
For publicly accessible systems: Displays system use Click here to enter text.
information and prevents further activity on the
information system unless and until the user takes
positive action to acknowledge agreement by clicking on
a box indicating “OK”; Displays references, if any, to
monitoring, recording, or auditing that are consistent
with privacy accommodations for such systems that
generally prohibit those activities; and Includes a
description of the authorized uses of the system.
10.2.9 AC-10 – Concurrent Session Control (- Standalone Overlay) – NEW BASELINE

Implemented Planned
The information system limits the number of concurrent sessions for each user to a maximum of three (3) sessions. The
concurrent sessions can be defined globally, by account type (e.g., privileged user), account or combination. This control
may require 3rd party software of development of a script.
10.2.10 AC-11 – Session Lock (+ Classified)

This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit privacy information.
The control description must include the means by which the organization addresses the implementation of this control.
Implemented Planned
15

NOTE: Operational considerations may require exceptions to this requirement. Exceptions must be approved in writing by
the DAO or designee. Session locks are not authorized in lieu of logout procedures. This control supports insider threat
mitigation.
Session locks (aka screen locks) shall be configured to require authentication for reentry into the system. Systems
supporting token-based authentication shall immediately lock when the token is removed. This control also addresses
unattended processing, which must be identified in the SSP specifying the functions and/or mission related tasks that must
run as unattended processes.
Unattended Processing: Unattended processing is defined as automated processes executed/running on a user’s behalf
while no users are physically present in the area/facility. Unattended processes generally run after hours during the week or
on weekends. Automated processes may include IT administrative functions (e.g., backups, scans) as well as mission-related
tasks requiring additional network resources, e.g., executing complex algorithms. Open storage is approved based on
physical accreditation with regard to media, mission need, and risk. Unattended processing is approved by the AO based on
system, mission justification, and environment. Unattended processing must be captured in the SSP/SCTM identifying the
specific IT administrative functions and/or mission-related tasks that run as unattended processes. If possible, implement
screen lock or appropriate prominently displayed signage.
Prevents further access to the system by initiating a Click here to enter text.
session lock after 15 minutes of inactivity or upon
receiving a request from a user.
Retains the session lock until the user reestablishes Click here to enter text.
access using established identification and
authentication procedures
10.2.10.1 AC-11(1) – Session Lock: Pattern Hiding Displays (+ Classified Overlay)

Implemented Planned
The information system conceals via the session lock, the information previously visible on the display with a publicly
viewable image. The information system session lock mechanism, when activated, shall hide screen content using an
unclassified pattern or image. This control supports insider threat mitigation.
10.2.11 AC-12 – Session Termination – NEW BASELINE

Implemented Planned
16

The information system [automatically] terminates a user session when the user logs out of the IS or removes the token.
A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user)
accesses an organizational information system. Such user sessions can be terminated (and thus terminate user access)
without terminating network sessions. Session termination terminates all processes associated with a user’s logical session
except those processes that are specifically created by the user (i.e., session owner) to continue after the session is
terminated. Conditions or trigger events requiring automatic session termination can include, for example, organization-
defined periods of user inactivity, targeted responses to certain types of incidents, time-of-day restrictions on information
system use.
10.2.11.1 AC-12(1) – Session Termination: User-Initiated Logouts/Message Displays – NEW BASELINE

Implemented Planned
(a) provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access
to information resources and
(b) displays an explicit logout message to users indicating the reliable termination of authenticated communications
sessions.
10.2.12 AC-14 – Permitted Actions without Identification or Authentication

Implemented Planned
17

This control addresses situations in which organizations determine that no identification or authentication is required or
possible in organizational information systems. The organization may be required to implement compensatory measures.
Specific DAO authorization is required.
The organization:
Identifies to the DAO for authorization any actions no Click here to enter text.
user actions can be performed on the information
system without identification or authentication
consistent with organizational missions/business
functions
Documents and provides supporting rationale in the SSP Click here to enter text.
for the information system, user actions not requiring
identification or authentication
10.2.12.1 AC-14(1) - Permitted Actions without Identification or Authentication: Necessary Uses WITHDRAWN Incorporated into
AC-14
10.2.13 AC-16 – Security Attributes (+ Classified) – NEW BASELINE

Implemented Planned
For example, the organization: a. Provides the means to associate [Classification level; accesses; and handling caveat] having
[Unclassified, Confidential, Secret, Top Secret; Apples, Oranges;, FOUO, NOFORN, etc.] with information in storage, in
process, and/or in transmission; b. Ensures that the security attribute associations are made and retained with the
information; c. Establishes the permitted [Classification level; accesses; and handling caveat] for [e.g., Apples Network,
FMDR LAN]; and d. Determines the permitted [e.g., user cannot select Apples if user selected Unclassified] for each of the
established security attributes. Example implementation for a system where all users are formally accessed to all
information: a) attributes (clearance, access, PII, etc.) are identified in the headers/footers, paragraph markings, or in the
filename; b) files are saved with these attributes; c) and d) see organization-defined values in example (c and d) above.
The organization:
Provides the means to associate classification and Click here to enter text.
Program caveats based on the Program SCG with
information in storage, in process, and/or in
transmission
Ensures that the security attribute associations are Click here to enter text.
made and retained with the information
Establishes the permitted attributes (e.g., classification Click here to enter text.
level, accesses, and handling caveat) IAW the SCG for
SAR IS
18

Determines the permitted values for each of the Click here to enter text.
established security attributes
10.2.13.1 AC-16(5) – Security Attributes: Attribute Displays for Output Devices (+ Classified Overlay) – NEW
Implemented Planned
The information system displays security attributes in human-readable form on each object that the system transmits to
output devices to identify special dissemination, handling, or distribution instructions using human-readable, standard
naming conventions.
Information system outputs include, for example, pages, screens, or equivalent. Information system output devices include,
for example, printers and video displays on computer workstations, notebook computers, and personal digital assistants.
10.2.13.2 AC-16(6) – Security Attributes: Maintenance of Attribute Association by Organization (+ Classified Overlay) – NEW
Implemented Planned
The organization allows personnel to associate, and maintain the association of the appropriate level of classification,
access and/or handling caveats associated with files they create in accordance with the SCG or locally defined security
policies. For example, The organization allows the user to select and manage the appropriate classification, access,
handling caveats for files (e.g., document, email, image, folder) they create in accordance with SCG or locally defined
security policies.
10.2.13.3 AC-16(7) – Security Attributes: Consistent Attribute Interpretation (+ Classified Overlay) (- Standalone Overlay) – NEW
19

Implemented Planned
The organization provides a consistent interpretation of security attributes transmitted between distributed information
system components.
10.2.14 AC-17 – Remote Access (- Standalone & CRN Overlay)

After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks (CRN).
Recommended Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.

Implemented Planned
In most cases within the Community, access to an extension of an information system at an external location is not
considered remote access. For the purpose of this control, system/network administration within the authorization
boundary of the system, regardless of physical location, is not considered remote access. All remote access must be
approved by the DAO.
The organization:
Establishes and documents usage restrictions, Click here to enter text.
configuration/connection requirements, and
implementation guidance for each type of remote
access allowed
Authorizes remote access to the information system Click here to enter text.
prior to allowing such connections
10.2.14.1 AC-17(1) – Remote Access: Automated Monitoring/Control (- Standalone & CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and closed restricted networks.

Implemented Planned
20

The information system monitors and controls remote access methods. All remote sessions and user activity shall be
audited. This control supports insider threat mitigation.
10.2.14.2 AC-17(2) – Remote Access: Protection of Confidentiality/Integrity Using Encryption (- Standalone & CRN Overlay)
Continuous Monitoring Frequency: Weekly Program Frequency: Choose an item.
Implemented Planned
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access
sessions. This control is considered an NSS best practice.
10.2.14.3 AC-17(3) - Remote Access: Managed Access Control Points (- Standalone & CRN Overlay)
Implemented Planned
All remote accesses shall be routed through a limited number of managed access control points (e.g., via an organizationally
managed remote access server, such as a Citrix Server). This control is considered an NSS best practice.
10.2.14.4 AC-17(4) – Remote Access: Privileged Commands/Access (- Standalone & CRN Overlay)
21

Implemented Planned
The organization: Authorizes the execution of privileged commands and access to security-relevant information via remote
access only for compelling operational needs; and Documents the rationale for such access in the security plan for the
information system. This control is considered an NSS best practice.
10.2.14.5 AC-17(6) – Remote Access: Protection of Information (- Standalone & CRN Overlay)
Recommended Continuous Monitoring Frequency: Weekly Program Frequency:
Implemented Planned
The organization ensures that users protect information about remote access mechanisms from unauthorized use and
disclosure. This control is considered an NSS best practice.
10.2.14.6 AC-17(7) – Remote Access: Additional Protection for Security Function Areas WITHDRAWN Incorporated Into AC-3(10)
10.2.14.7 AC-17(8) – Remote Access: Disable Nonsecure Network Protocols WITHDRAWN Incorporated Into CM-7
10.2.14.8 AC-17(9) – Remote Access: Disconnect/Disable Access (- Standalone Overlay) – NEW BASELINE
Implemented Planned
22

The organization provides the capability to expeditiously disconnect or disable remote access to the information system no
later than one hour after notification, 30 minutes of identification of an event or inactivity for low confidentiality or integrity
impact; 20 minutes for moderate confidentiality or integrity impact; or 10 minutes for high confidentiality or integrity
impact.
Termination of the session shall be verified.

10.2.15 AC-18 – Wireless Access (+ Classified Overlay) (- Standalone Overlay)

Implemented Planned
This control applies even if no wireless is authorized in the facility. For example: wireless is prohibited and implementation
guidance should include that users are instructed/reminded during initial and annual refresher training that wireless access
and wireless devices are prohibited [AC-18.a].
In certain situations, wireless signals may radiate beyond the confines and control of organization-controlled facilities. As a
result, wireless technologies are generally prohibited from use in facilities. Exceptions may include wireless devices without
memory that convey no meaningful data (e.g., personal wearable devices, remote control devices for audio/visual
presentations and IR and Bluetooth mice). Any exceptions shall be documented and approved by the AO [AC-18.b] to
include limiting wireless capabilities within the facility boundary.
The risks associated with personally-owned wireless technologies used in medical devices must also be assessed. The
ISSM/ISSO will work in concert with the AO, as appropriate, to allow necessary medical devices to the greatest extent
possible, yet within the acceptable risk envelope as determined by the AO in coordination with the Information System
Owner. Legal Counsel must be contacted prior to non-approval of any medical device.
The organization:
Establishes usage restrictions, configuration/connection Click here to enter text.
requirements, and implementation guidance for
wireless access
Authorizes wireless access to the information system Click here to enter text.
prior to allowing such connections
Proactively monitor for unauthorized wireless Click here to enter text.
connections, including scanning for unauthorized
wireless points at least quarterly
10.2.15.1 AC-18(1) – Wireless Access: Authentication & Encryption (- Standalone Overlay)

23

Implemented Planned
If applicable, the information system protects wireless access to the system using authentication of both users and devices,
as appropriate, and encryption. This control is considered an NSS best practice.
10.2.15.2 AC-18(2) – Wireless Access: Monitoring Unauthorized Connections WITHDRAWN Incorporated Into SI-4
10.2.15.3 AC-18(3) – Wireless Access: Disable Wireless Networking (+ Classified Overlay) (- Standalone Overlay)
Implemented Planned
The organization disables, when not intended for use, wireless networking capabilities internally embedded within
information system components prior to issuance and deployment. Document and ensure wireless is disabled or removed
from devices entering the facility, e.g., smart televisions, portable electronic devices, printers.
10.2.15.4 AC-18(4) – Wireless Access: Restrict Configurations by Users (+ Classified Overlay) (- Standalone Overlay)
Implemented Planned
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking
24

capabilities. General users shall be restricted from configuring wireless networking capabilities. This control supports insider
threat mitigation.
10.2.16 AC-19 – Access Control for Mobile Devices (+ Classified)

This MLL baseline control is also required by the classified Overlay for IS that process, store or transmit privacy information.
Recommended Continuous Monitoring Frequency: Monthly Program Frequency: Choose an item.
Implemented Planned
The organization:
Establishes usage restrictions, configuration Click here to enter text.
requirements, connection requirements, and
implementation guidance for organization-controlled
mobile devices
Authorizes the connection of mobile devices to Click here to enter text.
organizational information systems
CONTINUOUS MONITORING STRATEGY
10.2.16.1 AC-19(1) – Access Control for Mobile Devices: Use of Writable/Portable Storage Devices WITHDRAWN Incorporated Into
MP-7
10.2.16.2 AC-19(2) – Access Control for Mobile Devices: Use of Personally-Owned Portable Storage Devices WITHDRAWN
Incorporated Into MP-7
10.2.16.3 AC-19(3) – Access Control for Mobile Devices: Use of Portable Storage Devices with No Identifiable Owner WITHDRAWN
Incorporated Into MP-7
10.2.16.4 AC-19(5) – Access Control for Mobile Devices: Full Device/Container Based Encryption (+ Privacy Overlay) – NEW
BASELINE
Implemented Planned
25

Where appropriate, the organization employs encryption INSA or DoD approved) to protect the confidentiality and integrity
of information on all mobile devices authorized to connect to the organization’s IS. PEDs that contain classified or controlled
unclassified information (CUI) information must be encrypted with a National Security Agency (NSA) or DoD-approved
encryption standard.
10.2.17 AC-20 – Use of External Information Systems (+ Classified)

This MLL baseline control is also required by the Classified Overlay for IS that process, store or transmit information. The
control description must include the means by which the organization addresses the implementation of this control.
Implemented Planned
An external information system may be a standalone or an interconnected system/service. Providers of external information
systems should provide the ISSM with an external information system memorandum of understanding (MOU) (e.g., no
exchange of resources), or memorandum of agreement (e.g., exchange of resources such as personnel, services, funds), as
well as SOP and ATO or approval letter. An external information system MOU/MOA includes information such as the ATO
date if applicable, technical concerns (e.g., wireless (Bluetooth, etc.), cameras are turned off, microphones are disabled),
resources required (e.g., personnel), and additional system information as required (e.g., classified vs. corporate system).
Ensure a co-utilization agreement (CUA) is in place for the facility, if applicable.
In those cases where the external system connects to the system, ensure an approved connection agreement is in place with
the organization hosting the external information system. This may be accomplished via the establishment of an approved
ISA or MOA. [AC- 20(1)(a)]
For Support Systems (e.g., card readers, alarm systems) reference PE-2 guidance. Prior to allowing corporate unclassified
systems and ISSM/ISSO in coordination with corporate IT ensures endpoint security is appropriately hardened/configured,
e.g., wireless and microphones are disabled prior to approving entry.
The organization establishes terms and conditions, consistent with any trust relationships established with other
organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
Access the information system from external Click here to enter text.
information systems
Process, store, or transmit organization- Click here to enter text.
controlled information using external
information systems
10.2.17.1 AC-20(1) – Use of External Information Systems: Limits on Authorized Use (+ Classified) (- Standalone & CRN Overlay)
The control description must include the means by which the organization addresses the privacy-related implementation of
this control.
26

Implemented Planned
Authorized individuals are only permitted to use an interconnected External Information System to access the organization’s
information systems or to process, store, or transmit organization-controlled information when an approved connection
agreement is in place with the organization hosting the External Information System. This may be accomplished via the
establishment of an approved ISA. If the interconnecting systems have the same AO, an ISA is not required. This control
supports insider threat mitigation.
The organization permits authorized individuals to use an interconnected external information system or to process store or
transmit organizational-controlled information only when the organization:
Verifies the implementation of required security controls on
the external system as specified in the organizations
information security policy and security plan or…
Retains approved information system connection or
processing agreements with the organizational entity
hosting the external information system.
10.2.17.2 AC-20(2) – Use of External Information Systems: Portable Storage Devices (+ Classified Overlay)
After a relevance determination, this control can be tailored out for closed restricted networks, but must be considered as
part of the Classified Overlay.
Implemented Planned
Organizations shall limit the use of organization-controlled portable/removable storage media by authorized individuals on
External Information Systems. DAO approval is required. This control supports insider threat mitigation.
27
10.2.17.3 AC-20(3) – Use of External Information Systems/Non-Organizationally Owned Systems-Components-Devices (+

Classified) – NEW BASELINE
Implemented Planned
The organization prohibits the use of non-organizationally owned information systems, system components, or devices to
process, store, or transmit organizational information, unless specifically approved by the AO/DAO.
10.2.17.4 AC-20(4) – Use of External Information Systems: Network Accessible Storage Devices (+ Classified Overlay) (- Standalone
Overlay) – NEW
Implemented Planned
Network accessible storage devices in external information systems include, for example, online storage devices in public,
hybrid, or community cloud-based systems. The organization prohibits the use of fined network accessible storage devices in
external information systems, unless specifically approved by the AO/DAO.
10.2.18 AC-21 – Information Sharing

This MLL baseline control .
Implemented Planned
28
A sharing partner may be an individual or group on the IS, or external to the IS, e.g., sharing is being done in a circumstance
where the IS cannot enforce appropriate sharing controls, e.g., VTCs, phone conversations, and fax transmittals. The
organization will use an approved mechanism to ensure informed security decisions are made, preventing inadvertent
disclosures.
The organization:
Facilitates information sharing by enabling authorized Click here to enter text.
users to determine whether access authorizations
assigned to the sharing partner match the access
restrictions on the information
Employs automated or manual review process to assist
users in making information sharing/ collaboration
decisions
10.2.19 AC-22 – Publicly Accessible Content)(- Standalone & CRN Overlay)

29

Implemented Planned

From an organizational perspective this is a common control. Typically, this control is addressed by a Public Affairs Office or
similar entity. Information protected under the Privacy Act and vendor proprietary information are examples of nonpublic
information, as is classified information. The information to be posted must be reviewed by the appropriate organizational
element (e.g., Special Security Office (SSO), Foreign Disclosure Office (FDO), Legal, Public Affairs) prior to being posted on
the organization’s information system. [AC-22.c] [AC-22.d] Unauthorized information, if discovered, shall be removed
immediately from the publicly accessible information system and reported and information owner. Reference IR-6.
The organization:
Designates individuals authorized to post information Click here to enter text.
onto a publicly accessible information system
Trains authorized individuals to ensure that publicly Click here to enter text.
accessible information does not contain nonpublic
information
Reviews the proposed content of information prior to Click here to enter text.
posting onto the publicly accessible information system
to ensure that nonpublic information is not included
Reviews the content on the publicly accessible Click here to enter text.
information system for nonpublic information at least
quarterly, thereafter, or as new information is posted
and removes as required.
10.2.20 AC-23 – Data Mining Protection (+ Classified) (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The organization employs data mining prevention and detection for Program information to adequately detect and protect
against data mining.
Data mining prevention and protection techniques include limiting responses provided to queries and notifying responsible
personnel when an unauthorized or atypical access attempt occurs.
30

31
AWARENESS AND TRAINING (AT)

10.3.1 AT-1 – Security Awareness & Training Policy and Procedures
Implemented Planned
The organization:
a. Develops, documents, and disseminates to all personnel
1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the security awareness and training policy and associated
security awareness and training controls; and
1. Security awareness and training policy every 5 years; and
2. Security awareness and training procedures at least annually.
10.3.2 AT-2 – Security Awareness (+ Classified)

Implemented Planned
The organizations shall provide basic security awareness training to all information system users (including managers, senior
executives, and contractors) as part of initial training for new users, when required by system changes, and at least annually
thereafter.
Security awareness training will be conducted: (a) During in-processing; (b) Site specific information will be briefed based on
the mission and requirements of the job and Upon receipt of a USERID and password. The Privileged User, ISSM or their
alternate will brief the user on his/her IA responsibilities; (c) Awareness Refresher Training. Classroom, briefings, computer-
32

based training, or seminars will be used and documented to ensure all users comply with IA training requirements; (d)
Refresher training and awareness may also be delivered periodically through staff meetings, online delivery systems, or
similar venues, and documented in accordance with Security Training Records. [AT-4]; (e) As required, due to policy or
regulatory violations. See also [IR-4].
10.3.2.1 AT-2(2) – Security Awareness: Insider Threat (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization includes security awareness training on recognizing and reporting potential indicators of insider threat.
These can include behaviors such as job dissatisfaction, unexplained financial resources, consistent violations of
organizational policies, etc. Carnegie Mellon Software Engineering Institute has been conducting research on insider threat
indicators for several years. Additional information on insider threat indicators can be found at:
http://www.cert.org/insider-threat/.
10.3.3 AT-3 – Role-Based Security Training

Implemented Planned
The organization provides role-based security training to personnel with assigned security roles and responsibilities:
 Before authorizing access to the information system or performing assigned duties as part of initial training for
new users;
 When required by information system changes; and at least annually thereafter.
All users shall receive initial and at least annual General User training, while users assigned to positions requiring privileged
access shall receive, in addition, Privileged User training.
See the DAA PM for specific content requirements for General and Privileged User Training, as well as the minimum
requirements for Assured File Transfer (AFT)/Trusted Download Training.
33

10.3.3.1 AT-3(2) – Security Training: Physical Security Controls

Implemented Planned
As appropriate, the organization provides ISSOs with initial and annual training in the employment and operation of physical
security mechanisms or when sufficient changes are made to physical security systems. This control supports insider threat
mitigation.
10.3.3.2 AT-3(4) – Security Training: Suspicious Communications and Anomalous System Behavior – NEW BASELINE
Implemented Planned
The organization provides training to its personnel on indicators in order to recognize of suspicious communications and/or
anomalous system behavior (e.g., receiving a suspicious email, an unexpected web communication, etc.).
10.3.4 AT-4 – Security Training Records

Implemented Planned
34

Training records shall contain, at a minimum, the following elements:
User name
Name of training
Date of training (initial and refresher)
Type of training (classroom, one-on-one, online CBT, briefing, etc.)
Initial training records must contain legal signatures, or FIPS 140-2-compliant digital signatures, of users who received the
training. Refresher training may be documented through user-initialed attendance rosters, e-mail acknowledgments,
USERIDs captured through online content delivery systems, or other similar user acknowledgments. In addition,
organizations shall maintain training records.
The organization:
Documents and monitors individual information system Click here to enter text.
security training activities including basic security
awareness training and specific information system
security training
Retains individual training records for at least five (5) Click here to enter text.
years
10.3.5 AT-5 – Contacts with Security Groups and Associations WITHDRAWN Incorporated into PM-5
35
AUDIT AND ACCOUNTABILITY (AU)

10.4.1 AU-1 – Audit and Accountability Policy and Procedures
Implemented Planned
a. Develops, documents, and disseminates to ISSO, ISSM, FSO and designated users and auditing personnel.
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit
and accountability controls; and
1. Audit and accountability policy at least annually; and
2. Audit and accountability procedures at least annually.
10.4.2 AU-2 – Auditable Events

The information system must be capable of auditing the following events at a minimum:
Auditable Events Success Failure
1 Authentication Events to include Logons and Logoffs X X
2 Security relevant directories, objects and incidents (e.g. Security Accounts Manager (SAM) X X
file, audit records, etc.) to include create, access, delete, modify, permission modification,
ownership modification.
3 Export/Writes/Downloads to devices/digital media (e.g., CD/DVD, USB, SD) X X
4 Imports/Uploads from devices/digital media (e.g., CD/DVD, USB, SD) X
5 User and Group Management Events, to include user add, delete, modify, disable, lock and X X
group/role add, delete, modify
6 Use of Privileged/Special Rights events to include security or audit policy changes and X X
configuration changes
7 Admin or root-level access X X
8 Privilege/Role escalation X X
9 Audit and security relevant log data access X X
10 System reboot, restart and shut down X X
36
Auditable Events Success Failure

11 Print to a device X X
12 Print to a file X X
13 Application (e.g., Adobe, Firefox, MS Office Suite) initialization X X

Implemented Planned
The organization:
Determines that the information system is capable at a Click here to enter text.
minimum of auditing the required events (see table
above)
Coordinates the security audit function with other Click here to enter text.
organizational entities requiring audit-related
information to enhance mutual support and to help
guide the selection of auditable events
Provides a rationale for why the auditable events are Click here to enter text.
deemed to be adequate to support after-the-fact
investigations of security incidents
Determines that the following events are to be audited Click here to enter text.
within the information system. The organization
should match the audited events with the Gold Master
(AGM).
10.4.2.1 AU-2(3) – Auditable Events: Reviews and Updates

Implemented Planned
The Organization reviews and updates the audit events annually and based on situational awareness of threats and
vulernabilities. The auditable events baseline list, as defined in the tables above, shall be reviewed annually or as policy and
procedures dictate changes are required. The review shall include coordination with other organizational entities requiring
audit-related information (e.g., Incident Response, Counterintelligence) to enhance mutual support and to help guide the
selection of auditable events. This control supports insider threat mitigation.
37
10.4.2.2 AU-2(4) – Audit Events: Privileged Functions WITHDRAWN Incorporated Into AC-6(9)
10.4.3 AU-3 – Content of Audit Records

Implemented Planned
The information system generates audit records containing information that establishes what type of event occurred, when
the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any
individuals or subjects associated with the event.
Specifically, audit records shall contain, at a minimum, the following content:
 USERID
 Type of event/action
 Success or failure of event/action
 Date
 Time
 Terminal or workstation ID
 Entity that initiated event/action
 Entity that completed event/action
 Remote Access
If manual audit collection is approved by the AO, the audit records shall contain, at a minimum, the following content:
 Date
 Identification of the user
 Time the user logs on and off the system
 Function(s) performed
 Terminal or Workstation ID
Manual audit logs may be used to record the transmission of any data over a fax connected to a secure voice line (e.g.,
Secure Terminal Equipment (STE)). Reference DoDM 5205.07-V1, Enclosure 5, para 2.b. These logs will be maintained for
one year and must include the following information:
 Sender’s name, organization and telephone number
 Date and time of fax transmission
 Classification level of the information
 Recipient’s name, organization and telephone number
38
10.4.3.1 AU-3(1) – Content of Audit Records: Additional Audit Information

Implemented Planned
The information system generates audit records containing the following additional information, such as
Detailed information that organizations may consider in audit records includes, for example, full text recording of privileged
commands or the individual identities of group account users. Organizations consider limiting the additional audit
information to only that information explicitly needed for specific audit requirements. This facilitates the use of audit trails
and audit logs by not including information that could potentially be misleading or could make it more difficult to locate
information of interest.
Specifically, audit records shall contain, at a minimum, the following content:

USERID
Type of event/action
Success or failure of event/action
Date
Time
Terminal or Workstation ID
Entity that initiated event/action
Entity that completed event/action
Remote access
10.4.4 AU-4 – Audit Storage Capacity (- Standalone Overlay)


Implemented Planned
The organization allocates audit record storage capacity in accordance with: community best practice and configures
auditing to reduce the likelihood of such capacity being exceeded. Proper audit storage capacity is crucial to ensuring the
ongoing logging of critical events. The information system must be configured to allocate sufficient log record storage
capacity so that it will not become exhausted. See also AU-5(1).
39

10.4.4.1 AU-4(1) – Audit Storage: Transfer to Alternate Storage (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The information system off-loads audit records based on organizational requirements onto a different system or media
than the system being audited. Organizations should assign a frequency or threshold capacity when audit records are off-
loaded. Related control: AU-9(2).
10.4.5 AU-5 – Response to Audit Processing Failures (- Standalone Overlay)

After a relevance determination, this control can be tailored out for standalone IS with a single user. Audit processing
failures must be recorded in the audit log (second requirement below).
Implemented Planned
System should alert a system administrator and/or ISSM/ISSO. For IS that are not capable of providing a warning,
procedures for a manual method must be documented.
Tactical/deployable information systems may be developed without all the features and security controls of standard
information systems. Audit requirements for these systems should be reviewed for mission impact. For example, failure of
the audit process should not interfere with continued normal operation of a mission critical system.
Alerts designated organizational officials in the event of Click here to enter text.
an audit processing failure
Takes the following additional actions: at a minimum, Click here to enter text.
record any audit processing failure in the audit log
40
10.4.5.1 AU-5(1) – Response to Audit Processing Failures: Audit Storage Capacity (- Standalone Overlay)
After a relevance determination, this control can be tailored out for standalone IS with single users.
Implemented Planned
The information system provides a warning to ISSM and IA personnel immediately when allocated audit record storage
volume reaches [75 percent] of repository maximum audit record storage capacity. This control supports insider threat
mitigation.
Auditing processing failures include, e.g. software/hardware errors, failures in the audit capturing mechanisms, and audit
storage capacity being reached or exceeded.
10.4.6 AU-6 – Audit Review, Analysis and Reporting (+ Classified Overlay)

Implemented Planned
The purpose of the review is to verify all pertinent activity is properly recorded and appropriate action has been taken to
correct and report any identified problems. These reviews shall be documented in either an electronic or manual log.
Organizationally defined personnel or roles may include ISO, ISSM.
The organization:
Reviews and analyzes information system audit at least Click here to enter text.
weekly, or as directed by the AO/DAO for indications of
inappropriate or unusual activity
Reports findings to ISO, ISSM and FSO Click here to enter text.
41
10.4.6.1 AU-6(1) – Audit Review, Analysis and Reporting: Process Integration (- Standalone Overlay)
Implemented Planned
Information systems shall integrate and, to the extent possible, automate audit review, analysis, and reporting processes to
support organizational processes for investigation and response to suspicious activities.
10.4.6.2 AU-6(3) – Audit Review, Analysis, and Reporting: Correlate Audit Repositories - Standalone Overlay

Implemented Planned
The organization analyzes and correlates audit records across different repositories to gain organization-wide situational
awareness.
10.4.6.3 AU-6(4) – Audit Review, Analysis and Reporting: Central Review and Analysis (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The information system provides the capability to centrally review and analyze audit records from multiple components
42

within the system.
10.4.6.4 AU-6(5) – Audit Review, Analysis, and Reporting: Scanning and Monitoring Capabilities (+ Classified Overlay) – NEW
Implemented Planned
The organization integrates analysis of audit records with analysis of vulnerability scanning information; performance data;
and/or information system monitoring information; and Program-defined data/information collected from other sources to
further enhance the ability to identify inappropriate or unusual activity.
10.4.6.5 AU-6(8) – Audit Review, Analysis and Reporting: Full Text Analysis of Privileged Commands (+ Classified Overlay) – NEW
Implemented Planned
The organization performs a full text analysis of audited privileged commands in a physically distinct component or
subsystem of the information system, or other information system that is dedicated to that analysis.
10.4.6.6 AU-6(9) – Audit Review, Analysis and Reporting: Correlation with Information from Non-Technical Sources (+ Classified
Overlay) – NEW
43
Implemented Planned
The organization correlates information from nontechnical sources with audit information to enhance organization wide
situational awareness.
10.4.6.7 AU-6(10) – Audit Review, Analysis and Reporting: Audit Level Adjustment – NEW BASELINE
Implemented Planned
The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a
change in risk based on law enforcement information, intelligence information, or other credible source of information.
10.4.7 AU-7 – Audit Reduction and Report Generation (+ Privacy Overlay) (- Standalone Overlay)
this control.
Implemented Planned
The information system provides an audit reduction and report generation capability that:
44

Supports on-demand audit review, analysis, and Click here to enter text.
reporting requirements and after-the-fact investigations
of security incidents
Does not alter the original content or time ordering of Click here to enter text.
audit records
10.4.7.1 AU-7(1) – Audit Reduction and Report Generation: Automatic Processing (- Standalone Overlay)
Implemented Planned
The information system provides the capability to sort and search audit records for events of interest based on selectable
event criteria.
10.4.8 AU-8 – Time Stamps

Implemented Planned
Uses internal system clocks to generate time stamps for Click here to enter text.
audit records
Records time stamps for audit records that can be Click here to enter text.
mapped to Coordinated Universal Time (UTC) or
Greenwich Mean Time (GMT). Time stamps shall
include both date and time.
45
10.4.8.1 AU-8(1) – Time Stamps: Synchronization with an Authoritative Time Source (- Standalone Overlay)
Implemented Planned
Information systems shall synchronize internal information system clocks, at least every 24 hours, with an organization-
defined time source, e.g. Domain Controller, US Naval Observatory time server. Synchronizes the internal system clocks
to the authoritative time source when the time difference is greater than the organizationally defined granularity in AU-8.
10.4.9 AU-9 – Protection of Audit Information (+ Privacy Overlay)

this control.
Implemented Planned
Information systems shall protect audit information and audit tools from unauthorized access, modification and deletion.
Audit information includes all information (e.g., audit records, audit settings, and audit reports) needed to successfully audit
information system activity. Audit information shall be handled and protected at the same security level of the information
system from which it originated, until reviewed and a determination is made of the actual classification.
10.4.9.1 AU-9(4) – Protection of Audit Information: Access by Subset of Privileged Users (- Standalone Overlay)
Implemented Planned
46

Organizations shall limit access to audit functionality to only a small subset of privileged users.
Where applicable, access shall be further restricted by distinguishing between privileged users with audit-related privileges
and privileged users without audit-related privileges to improve audit integrity. Limiting the users with audit-related
privileges helps to mitigate the risk of unauthorized access, modification, and deletion of audit information. This control
10.4.9.2 AU-10(5) – Non-Repudiation: Digital Signatures (+Intelligence Overlay) – WITHDRAWN Incorporated into SI-7
10.4.10 AU-11 – Audit Record Retention

Implemented Planned
Organizations shall retain audit records for a minimum of five (5) years for IS to provide support for after-the-fact
investigations of security incidents and to meet regulatory and organizational information retention requirements.
10.4.10.1 AU-11(1) – Audit Record Retention: Long-Term Retrieval Capability – NEW BASELINE
Implemented Planned
The organization employs a retention technology to access audit records for the duration of the required retention period to
47

ensure that long-term audit records generated by the information system can be retrieved.
10.4.11 AU-12 – Audit Generation (+ Classified Overlay)

Implemented Planned
Provides audit record generation capability for the Click here to enter text.
auditable events defined in AU-2 at all information
system and network components;
Allows designated personnel to select which auditable Click here to enter text.
events are to be audited by specific components of the
information system
Generates audit records for the list of audited events Click here to enter text.
with the content defined in Content of Audit Records
10.4.11.1 AU-12(1) Audit Generation: System-Wide/Time Correlated Audit Trail – NEW BASELINE
Implemented Planned
The information system compiles audit records from information systems auditable devices into a system-wide (logical or
physical) audit trail that is time-correlated to within the tolerance defined in AU-8 and AU 12.
The AU-12 (1) organization-defined IS components is a subset of the organization-defined components in AU-12 focused on
correlated and centralizing specific audits.
48
10.4.11.2 AU-12(3) – Audit Generation: Changes by Authorized Individuals – NEW BASELINE

Implemented Planned
The information system provides the capability for organization-defined individual to change the auditing to be performed
on information system components based on organizational defined selectable event criteria.
The information system binds the identity of the information producer to the information and provides the means for
authorized individuals to determine the identity of the producer of the information.
10.4.12 AU-14 – Session Audit (+ Classified Overlay) – NEW BASELINE

Implemented Planned
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
Verify system is capable of performing session audits, but do not initiate without legal counsel and AO involvement. This
control may be used to audit file transfers of DTAs.
10.4.12.1 AU-14(1) – Session Audit: System Start-Up – NEW BASELINE

Implemented Planned
49

The information system initiates session audits at system start-up.
10.4.12.2 AU-14(2) – Session Audit: Capture/Record and Log Content – NEW BASELINE
Implemented Planned
The information system provides the capability for authorized users to capture/record and log content related to a user
session.
10.4.12.3 AU-14(3) – Session Audit: Remote Viewing/Listening – NEW BASELINE

Implemented Planned
The information system provides the capability for authorized users to remotely view/hear all content related to an
established user session in real time.
10.4.13 AU-16 – Cross-Organizational Training (+ Classified Overlay) – NEW

Implemented Planned
50

The organization employs an ISA, SLA or MOA for coordinating audit content among external organizations when audit
information is transmitted across organizational boundaries.
10.4.13.1 AU-16(1) – Cross-Organizational Auditing: Identity Preservation (+ Classified Overlay) – NEW

Implemented Planned
The organization requires that the identity of individuals be preserved in cross-organizational audit trails.
10.4.13.2 AU-16(2) – Cross-Organizational Auditing: Sharing of Audit Information (+ Classified Overlay) – NEW
Implemented Planned
The organization provides cross-organizational audit information to specifically-identified organizations based on sharing
agreements as identified in an ISA, SLA, or MOA.
51
SECURITY ASSESSMENT AND AUTHORIZATION (CA)

10.5.1 CA-1 – Security Assessment and Authorization Policies & Procedures
Implemented Planned
a. Develops, documents, and disseminates to all personnel.
1. A security assessment and authorization policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities, and
compliance; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy
and associated security assessment and authorization controls; and
1. Security assessment and authorization policy every 5 years and;
2. Security assessment and authorization procedures at least annually.
10.5.2 CA-2 – Security Assessments

Implemented Planned
The organization:
Develops a security assessment plan that describes the Security Assessment Plan is provided by DSS.
scope of the assessment including (1) security controls
and control enhancements under assessment; (2)
assessment procedures to be used to determine security
control effectiveness; and (3) assessment environment,
assessment team, and assessment roles and
52

responsibilities
Assesses the security controls in the information system Click here to enter text.
and its environment of operation at least annually, or as
stipulated in the organization's continuous monitoring
program to determine the extent to which the controls
are implemented correctly, operating as intended, and
producing the desired outcome with respect to meeting
established security requirements
Produces a security assessment report that documents Click here to enter text.
the results of the assessment
Provides the results of the security control assessment Click here to enter text.
to the SCA and the DAO/DAO Rep and the ISSM/ISSO.
10.5.2.1 CA-2(1) – Security Assessments: Independent Assessors (- Standalone Overlay)

Implemented Planned
The organization employs assessors or assessment teams with AO determined level of impartiality based on the risk
assessment for the system to conduct security control assessments. Impartiality implies that the assessors are free from
any perceived or actual conflicts of interest with respect to the developmental, operational, and/or management chain of
command associated with the information system or to the determination of security control effectiveness. Security
assessment services can be obtained from other elements within the organization or can be contracted to a public or private
sector entity outside of the organization.
DSS is considered the Inpendent Assessor within NISP Implemenation of the RMF process.
10.5.3 CA-3 – Information System Connections (+ Classified Overlay) (- Standalone Overlay)

Implemented Planned
53
Organizations shall identify any connections of an information system to an external information system in the SSP and
ensure connections from the information system to external information systems are authorized through the use of an ISA.
An external information system is an information system or component that is outside the authorization boundary as
defined in the SSP. (Reference AC-20.) If the interconnecting systems have the same AO, an ISA is not required.
Organizations typically have no direct control over the security controls or security control effectiveness for these external
systems or components. Organizations shall monitor all information system connections on an ongoing basis to verify
enforcement of the security requirements. If the interconnecting systems have the same AO, an ISA is not required,
although one may still be beneficial.
When a need arises to connect two different IS operating at different security classification levels, the connection is referred
to as a cross domain connection. Any cross domain connection must be identified first to the Service or Agency Cross
Domain Support Element (CDSE)
The direct connection of any information system to an external network is prohibited. No direct connection means that an
information system cannot connect to an external network without the use of an approved boundary protection device
(e.g., firewall or cross domain device) that mediates the communication between the system and the network.
The organization:
Authorizes connections from the information system to Click here to enter text.
other information systems through the use of
Interconnection Security Agreements
Documents, for each interconnection, the interface Click here to enter text.
characteristics, security requirements, and the nature of
the information communicated
Reviews and updates Interconnection Security Click here to enter text.
Agreements annually
10.5.3.1 CA-3(1) – Information System Connections: Unclassified National Security System Connections (- Standalone & CRN
Overlay)
Implemented Planned
The organization prohibits the direct connection of a system processing to an external network without DAO approval and
the use of approved boundary protection devices.
Organizations typically do not have control over external networks (e.g., the Internet). Approved boundary protection
devices (e.g., routers, firewalls) mediate communications (i.e., information flows) between unclassified national security
systems and external networks. This control enhancement is required for organizations processing, storing, or transmitting
Controlled Unclassified Information (CUI).
54
10.5.3.2 CA-3(2) – Information System Connections: Classified National Security System Connections (+ Classified Overlay) (-
Standalone & CRN Overlay)
Implemented Planned
The organization prohibits the direct connection of a classified, national security system processing SAR to an external
network without DAO approval and the use of approved boundary protection devices.
10.5.3.3 CA-3(5) – Information System Connections: Restrictions on External Network Connections – NEW BASELINE

Implemented Planned
The organization employs deny-all, permit-by-exception policy for allowing all systems to connect to external information
systems.
10.5.4 CA-5 – Plan of Action & Milestones

Implemented Planned
55

POA&Ms are the authoritative management tool used by the organization (including the AO, SCA) to detail specific program
and system level security weaknesses, remediation needs, the resources required to implement the plan, and scheduled
completion dates.
The POA&M is initiated based on findings and recommendations from the SAR, or as a minimum, providing that information
via the SAR to the ISO. The ISO shall describe the planned tasks for correcting weaknesses and addressing any residual
findings. The POA&M shall identify:
Tasks to be accomplished with a recommendation for completion either before or after information system implementation.
Resources required to accomplish the tasks.
Any milestones in meeting the tasks, to include percentage completed.
Scheduled completion dates for the milestones.
Status of tasks (completed, ongoing, delayed, planned)
The POA&M is used by the AO and SCA to monitor the progress in mitigating any findings. POA&M entries are required even
when weaknesses or deficiencies found during the assessment are remediated prior to the submission of the authorization
package to the AO. Once an authorization is issued with a POA&M, adjusting the approved milestones and scheduled
completion dates is not allowed without coordination with AO. (NOTE: For Army, those weaknesses found during the
assessment, but remediated on site, will be included in the SAR, but not the POA&M).
The organization:
Develops a plan of action and milestones for the Click here to enter text.
information system to document the organization’s
planned remedial actions to correct weaknesses or
deficiencies noted during the assessment of the security
controls and to reduce or eliminate known
vulnerabilities in the system
Updates existing plan of action and milestones at least Click here to enter text.
quarterly based on the findings from security controls
assessments, security impact analyses, and continuous
monitoring activities
10.5.5 CA-6 – Security Authorization

.
Implemented Planned
The ISSM is responsible for ensuring the submission of the Security Authorization Package to the SCA, who, in turn, submits
the security authorization package to the AO. When security controls are provided to an organization by an external
provider (e.g., through contracts, interagency agreements, lines of business arrangements, licensing agreements, and/or
supply chain arrangements), the organization shall ensure the information needed by the AO to make a risk-based decision
56

is made available by the control provider. The security authorization package will contain, at a minimum, the SSP (which
includes the ConMon Strategy), the RAR, and POA&M. In addition, the Security Assessment Plan may be required by the
AO. The complexity of the RAR and ConMon Strategy vary by system and environment. Guidance on the level of detail
required is provided by the AO/SCA.
For additional information on the requirements for reciprocity, see the DAA PM control description.
The organization:
Assigns a senior-level executive or manager as the This control falls under DSS cognizance
authorizing official for the information system.
Ensures that the authorizing official authorizes the This control falls under DSS cognizance
information system for processing before commencing
operations
Updates the security package if the organization and/or This control falls under DSS cognizance
system is adequately covered by a continuous
monitoring program the Security Authorization may be
continuously updated: If not; at least every three (3)
years, when significant security breaches occur,
whenever there is a significant change to the system, or
to the environment in which the system operates
10.5.6 CA-7 – Continuous Monitoring

Implemented Planned
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that
includes:
Establishment of a IA controls and metrics to be Click here to enter text.
monitored
Establishment of monitoring frequency for each security Click here to enter text.
control and frequency of assessments supporting such
monitoring
Ongoing security control assessments in accordance Click here to enter text.

with the organizationally-defined security control
monitoring frequency
Ongoing security status monitoring of organization- Click here to enter text.
defined metrics in accordance with the organizationally-
defined security control monitoring frequency
Correlation and analysis of security-related information Click here to enter text.
generated by assessments and monitoring
57

Response actions to address results of the analysis of
security-related information
Reporting the security state of the organization and the Click here to enter text.
information system to appropriate organizational
officials at least annually, or whenever there is a
significant change to the system or the environment in
which the system operates
10.5.6.1 CA-7(1) – Continuous Monitoring: Independent Assessment (- Standalone Overlay)

Implemented Planned
The organization employs assessors or assessment teams to perform an objective assessment to monitor the security
controls in the information system on an ongoing basis.
10.5.7 CA-9 – Internal System Connections – NEW BASELINE

Implemented Planned
The organization:
Authorizes internal connections of information system Click here to enter text.
components to the information system
Documents, for each internal connection, the interface Click here to enter text.
characteristics, security requirements, and the nature
of the information communicated
58
CONFIGURATION MANAGEMENT (CM)

10.6.1 CM-1 – Configuration Management Policy and Procedures

Implemented Planned
The organization:
a. Develops, documents, and disseminates to Authorized designated users:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment,
coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the configuration management policy and associated configuration
management controls; and
1. Configuration management policy [annually]; and
2. Configuration management procedures [annually].
10.6.2 CM-2 – Baseline Configuration

Implemented Planned
Organizations must develop, document, and maintain the current baseline configuration for all information
systems under their purview to include, but not limited to, workstations, servers, network components and
mobile devices.
A baseline configuration describes the approved configuration of an information system including all hardware
(manufacturer, model and serial number or unique identifier), software (manufacturer, name, version number),
and firmware components (manufacturer, name and version number), how various security controls are
implemented, how the components are interconnected, and the physical and logical locations of each.
59

10.6.2.1 CM-2(1) – Baseline Configuration: Reviews & Updates

Implemented Planned
The organization reviews and updates the baseline configuration of the information system.:
(a) At least annually;
(b) When required due to baseline configuration changes or as events dictate such as changes due to -
Changes that modify the security structure; and
• Operating system changes (e.g., Windows XP to Windows 7).
• Major software version upgrades (e.g., Office 2007 to Office 2010).
• Addition to servers.
• Modification to system ports, protocols and services (PPS).
• Major vulnerabilities discovered after assessment and/or authorization.
• Changes to the confidentiality, integrity, or availability requirements (e.g., changing from
a moderate impact level to high impact level).
• Changes in system encryption methods
• Changes in interconnections.
• Changes to operating environment (e.g. External information System introduces media
capability; introduction of Voice over internet Protocol (IP) (VOIP) (classified or
unclassified; foreign nationals move in next door, system is relocated).
• Significant increased threat increasing the organization/sites residual risk. Minor and
non-security relevant hardware and software changes to information systems do not
require assessment retesting. These upgrades require an administrative update to the
SSP. Examples of changes that only require administrative updates include:
• Non-security relevant software version updates and/or upgrades.
• Addition of identical workstation type with approved image to an authorized
system.
• Replacement of failed servers/system components with identical spares
• Replacement of hardware drives/tape back-up.
(c) As an integral part of information system component installations and upgrades.
60

10.6.2.2 CM-2 (5) – Baseline Configuration: Authorized Software WITHDRAWN Incorporated Into CM-7
10.6.3 CM-3 – Configuration Change Control

Implemented Planned
The Organization must:
a. Determine the types of changes to the information system that are configuration-controlled;
b. Review proposed configuration-controlled changes to the information system and approves or disapproves such changes
with explicit consideration for security impact analyses;
c. Document configuration change decisions associated with the information system;
d. Implement approved configuration-controlled changes to the information system;
e. Retain records of configuration-controlled changes to the information system for the life of the system.
f. Audit and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinate and provide oversight for configuration change control activities through establishment of a group of
individuals with the collective responsibility and authority to review and approve proposed changes to the IS that convenes
as defined in the local SSP and when there is a significant change to the system or the environment in which the system
operates. This could be a function overseen only by the ISSM and/or ISSO/AO.
10.6.3.1 CM-3(4) – Configuration Change Control: Security Representative

Implemented Planned
61

The organization requires an information security representative to be a member of the change board. Usually, the ISSM or
his/her designated representative shall serve as a voting member of the CCB, whether informal or formal. Since the ISSM is
responsible for halting practices dangerous to security, the ISSM shall have authority to veto any proposed change he/she
believes to be detrimental to security. In cases of disagreement, the change shall be postponed while the ISO or ISSM
contacts the AO’s office for resolution.
10.6.3.2 CM-3(6) – Configuration Change Control: Cryptography Management (+ Classified Overlay) – NEW BASELINE
this control.
Implemented Planned
The organization ensures that cryptographic mechanisms (public key, private key, etc…)used to provide safeguarding of
classified information from unauthorized access or modification is under configuration management policy
10.6.4 CM-4 – Security Impact Analysis)

Implemented Planned
62

The organization analyzes changes to the information system to determine potential security impacts prior to change
implementation.
The organization must maintain records of analysis of changes to the information system.
10.6.5 CM-5 – Access Restrictions for Change

Implemented Planned
The organization defines documents, approves, and enforces physical and logical access restrictions associated with changes
to the information system.
The organization permits only qualified and authorized individuals (Privileged) to access information systems for purposes
of initiating changes, including upgrades and modifications. These access restrictions enforce configuration control to the
information system.
10.6.5.1 CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges (+ Classified Overlay) (- Standalone
Overlay)
Implemented Planned
The organization:
(a) Limits developing/integrator privileges to change information system components (hardware,
software, and firmware) and system-related information within a production or operational
environment; and
63

(b) Ensure the ISSM Reviews and reevaluates privileges at least annually.
10.6.5.2 CM-5(6) – Access Restrictions for Change: Limit Library Privileges

Implemented Planned
The organization limits privileges to change software resident within software libraries.
Where possible, organizations shall employ automated mechanisms to enforce access restrictions and support auditing of
the enforcement actions. This control supports insider threat mitigation.
10.6.6 CM-6 – Configuration Settings

Implemented Planned
Organizations shall monitor and control changes to the configuration settings. Any detected unauthorized security-relevant
configuration changes to an information system must be documented and reported as a possible incident. See also the
Incident Response family.
The organization:
Establishes and documents configuration settings for Click here to enter text.
information technology products employed within the
information system using organizationally approved
guides such as DoD SRGs, STIGs, NIST Security
Configuration Checklists, Service specific guidance or
NSA SCGs; if such a reference document is not
available, the following are acceptable in descending
order as available: (1) Commercially accepted practices
64

(e.g., SANS) (2) Independent testing results (e.g., ICSA)
or (3) Vendor literature that reflect the most restrictive
mode consistent with operational requirements
Implements the configuration settings Click here to enter text.
Identifies, documents, and approves any deviations Click here to enter text.
from established configuration settings for all
configurable IS components based on mission
requirements
Monitors and controls changes to the configuration Click here to enter text.
settings in accordance with organizational policies and
procedures
10.6.6.1 CM-6(3) – Configuration Settings: Unauthorized Change Detection WITHDRAWN Incorporated Into SI-7
10.6.6.2 CM-6(4) – Configuration Settings: Conformance Demonstration WITHDRAWN Incorporated Into CM-4
10.6.7 CM-7 – Least Functionality

Implemented Planned
The organization must:
a. Document in the security plan, essential capabilities which the information system must
provide. The organization configures the information system to provide only those
documented essential capabilities.
b. Prohibits or restricts the use of ports, protocols, and services using least functionality. Ports
will be denied access by default, and allow access by exception as documented in the system
security plan.
65
10.6.7.1 CM-7(1) – Least Functionality: Periodic Review (- Standalone Overlay)

Implemented Planned
a. Reviews the information system annually to identify unnecessary and/or nonsecure functions, ports,
protocols, and services; and
b. Disables ports, protocols, and services within the information system deemed to be unnecessary (documented
in the SSP CM-7)
10.6.7.2 CM-7(2) – Least Functionality: Prevent Program Execution (- Standalone Overlay)

Implemented Planned
The information system prevents program execution by disabling or uninstalling unused/unnecessary operating system (OS)
functionality, protocols, ports, and services, and limiting the software that can be installed and the functionality of that
software. Systems prevent program execution from organizationally specific locations: (e.g., removable media, temporary
directory, a shared network drive, etc.).
10.6.7.3 CM-7(3) – Least Functionality: Registration Compliance (- Standalone Overlay)

Implemented Planned
66

Organizations shall obtain and ensure compliance with the latest guidance regarding ports, protocols, and services.
Organizations shall configure information systems and components to disable the capability for automatic execution of code
(e.g. AutoRun, AutoPlay). This control supports insider threat mitigation.
Supplemental Guidance: Organizations use the registration process to manage, track, and provide oversight for information
systems and implemented functions, ports, protocols, and services.
10.6.7.4 CM-7(5) – Least Functionality: Authorized Software/Whitelisting – NEW BASELINE

Implemented Planned
The organization:
(a) Identifies develops and maintains an approved software list to execute on the information system.
Change to this list is managed within CM-3.
(b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs
on the information system; and
(c) Reviews and updates the list of authorized software programs on a monthly basis.
The organization must maintain an audit trail of the review and update.
10.6.8 CM-8 – Information System Component Inventory

Implemented Planned
67

The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes a local hardware list providing as a minimum, type, make, model, quantity, serial number.
b. Reviews and updates the information system component inventory at least annually
10.6.8.1 CM-8(2) – Information System Component Inventory: Automated Maintenance (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available
inventory of information system components.
10.6.8.2 CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection (- Standalone
Overlay) – NEW BASELINE
Implemented Planned
68

(a) Employ automated mechanisms continuously to detect the presence of unauthorized hardware, software, and
firmware components within the information system; and
(b) Take the following actions when unauthorized components are detected: Documents and implements a
process to take action to disable network access by unauthorized software, hardware, and firmware components,
isolate the components, and/or notify the ISSO and ISSM and others as the local organization deems appropriate.
The organization must maintain an audit trail of actions taken upon detection of unauthorized software, hardware,
and firmware components.
10.6.9 CM-9 – Configuration Management Plan

Implemented Planned
The organization develops, documents, and implements a configuration management plan for the information system that:
Addresses roles, responsibilities, and configuration Click here to enter text.

management processes and procedures
Establishes a process for identifying configuration items Click here to enter text.
throughout the system development life cycle and for
managing the configuration of the configuration items
Defines the configuration items for the information Click here to enter text.
system and places the configuration items under
configuration management
Protects the configuration management plan from Click here to enter text.
unauthorized disclosure and modification
10.6.10 CM-10 – Software Usage Restrictions – NEW BASELINE

Implemented Planned
69

Software use within an environment can make licensing difficult, but system specific controls that are in place to ensure
licensing is properly managed are required.
The organization:
Uses software and associated documentation in Click here to enter text.
accordance with contract agreements and copyright
laws
Tracks the use of software and associated Click here to enter text.
documentation protected by quantity licenses to control
copying and distribution
Controls and documents the use of peer-to-peer file Click here to enter text.
sharing technology to ensure that this capability is not
used for unauthorized distribution, display,
performance, or reproduction of copyrighted work.
10.6.10.1 CM-10(1) – Software Usage Restrictions: Open Source Software – NEW BASELINE
Implemented Planned
The organization establishes the following restrictions on the use of open source software:
Open source software may only be used if specifically approved by the DAO and the organization meets all licensing issues
associated with the software.
10.6.11 CM-11 – User Installed Software – NEW BASELINE

Implemented Planned
70

The organization:
a. Establishes policies governing the installation of software by users (e.g. user agreements, CM Plan, etc.)
b. Define and document the methods employed to enforce the software installation policies
c. Monitors policy compliance monthly.
10.6.11.1 CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status – NEW BASELINE
Implemented Planned
The IS prohibits user installation of software without explicit privileged status.

71
CONTINGENCY PLANNING (CP)

10.7.1 CP-1 – Contingency Planning Policy and Procedures
requirement for the Program to develop additional policy to meet the -1 control. For additional information on the types of
contingency plans, review the section in the DAA PM.

Implemented Planned
The organization:
1. Identify personnel responsible for Contingency Click here to enter text.

Planning. This can be found in the approved
System Security Plan. Contingency Planning
Process and Procedures will be disseminated to
appropriate personnel.
2. Create a contingency planning policy that

addresses purpose, scope, roles, responsibilities,
management commitment, coordination among
organizational entities, and compliance; (ODAA
process manual and NIST 800-34 can be used as
guidance) and Create procedures to facilitate the
implementation of the contingency planning
policy and associated contingency planning
controls; and
Reviews and updates the current: Click here to enter text.
1. Contingency planning policy at

least annually; and
2. Contingency planning procedures

at least annually
10.7.2 CP-2 – Contingency Plan – Maybe tailorout based on contract requirements.

Implemented Planned
72

The availability impact level drives the level of contingency required for the system. The Information System Contingency
Plan (ISCP) may be either a separate document specific to the IS, included in the SSP, or may be incorporated into a broader
site contingency plan, such as the Business Continuity Plan (BCP) or Continuity of Operations Plan (COOP). ISCP development
is the responsibility of the ISO.
A key step in developing an ISCP is to conduct a Business Impact Analysis (BIA). The BIA enables the organization to
characterize the system components, supported mission/business functions, and interdependencies. The BIA purpose is to
correlate the system with the critical mission/business processes and services provided, and based on that information,
characterize the consequences of a disruption. The organization can use the BIA results to determine contingency planning
requirements and priorities. Results from the BIA can also be incorporated into the analysis and strategy development
efforts for the organization’s COOP, BCPs, and DRP. The depth of planning and degree of detail in an ISCP is dependent on
the mission criticality of each system should the system become unavailable. A simple statement as to how long a system
can remain unavailable before it impacts the mission is the basic foundation of a BIA. The mission owner or ISO determine to
what lengths the ISSM/ISSO should go to ensure a contingency plan is in place, e.g., relocation of users/team/crew, hot
backup, warm backup, backup media stored offsite, no additional measures beyond backing up the data.
The plan must define and describe specific responsibilities of designated staff or positions to facilitate the recovery and/or
continuity of essential system functions. The ISCP consists of a comprehensive description of all actions to be taken before,
during, and after a disaster or emergency condition along with documented and tested procedures. The ISCP helps to ensure
critical resources are available and facilitates the continuity of operations in an emergency situation.
The organization Develops a contingency plan that:
Identifies essential missions and business functions and Click here to enter text.
associated contingency requirements;
Provides recovery objectives, restoration priorities, and

metrics;
Addresses contingency roles, responsibilities, assigned

individuals with contact information;
Addresses maintaining essential missions and business

functions despite an information system disruption,
compromise, or failure;
Addresses eventual, full information system restoration

without deterioration of the security safeguards
originally planned and implemented; and
Coordinates contingency planning activities with Click here to enter text.

incident handling activities
Is reviewed and approved by ISSM/FSO annually Click here to enter text.
Distributes copies of the contingency plan to all Click here to enter text.
stakeholders identified in the contingency plan via an
information sharing capability
73
Coordinates contingency planning activities with

incident handling activities;
Reviews the contingency plan for the information

system at least annually
Updates the contingency plan to address changes to

the organization, information system, or environment
of operation and problems encountered during
contingency plan implementation,execution, or testing;
Communicates contingency plan changes to Click here to enter text.

stakeholders identified in the contingency plan; and
Protects the contingency plan from unauthorized Click here to enter text.
disclosure and modification
10.7.3 CP-3 – Contingency Training

Implemented Planned
The organization provides contingency training to information system users consistent with assigned roles and
responsibilities:
a. Within 60 days of assuming a contingency role or responsibility;
b. When required by information system changes; and
c. Annually or as defined in the contingency plan thereafter.
10.7.4 CP-4 – Contingency Plan Testing and Exercises

Implemented Planned
74

The organization:
Tests the contingency plan for the information system Click here to enter text.
annually using full scale contingency plan testing or
functional/tabletop exercises to determine the
effectiveness of the plan and the organizational
readiness to execute the plan.
Documents and reviews the contingency plan Click here to enter text.
test/exercise results,
Initiates the corrective actions, if needed.
10.7.5 CP-7 – Alternate Processing Site (- Standalone Overlay)

Implemented Planned
NOTE: CP-7 and CP-7(5) are normally only applicable for IS with an Availability Impact level of Moderate or High. The
organization shall, as required:
Establish an alternate processing site including Tailored out, low availability impact
necessary agreements to permit the resumption of
information system operations for essential
mission/business functions. The organization will define
the time period consistent with recovery time and
recovery point objectives for essential mission/business
functions to permit the transfer and redemption of
organization-defined information system operations at
an alternate processing site when the primary
processing capabilities are unavailable.
Ensure that equipment and supplies required to resume Tailored out, low availability impact
operations are available at the alternate processing site
or contracts are in place to support delivery to the site
75

in time to support the organization-defined time period
for resumption
Ensure that the alternate processing site provides Tailored out, low availability impact
information security safeguards equivalent to that of
the primary site
Develop alternate processing site agreements (e.g., Tailored out, low availability impact
MOA/MOU) that contain priority-of-service provisions in
accordance with the organization’s availability
requirements
10.7.5.1 CP-7 (5) – Alternate Processing Site: Equivalent Information Security Safeguards WITHDRAWN Incorporated Into CP-7
10.7.6 CP-9 – Information System Backup

Implemented Planned
The ISO shall develop backup plans for all information systems. Backup plans must be coordinated with the ISSM/ISSO and
included in the ISCP. Backup plans should consider data-production rates and data-loss risks. The areas of risk that should be
identified and planned for include, but are not limited to:
• Loss of power.
• Loss of network connectivity.
• Loss or corruption of data.
• Facility disruptions, such as loss of air conditioning, fire, flooding, etc.
Backup procedures should reflect the risk from media loss. If a hard disk were damaged, lost or contaminated in some way,
the disk backups, coupled with periodic incremental backups between full backups, would allow for the restoration of the
data. “Active backups” should be maintained for disks that contain often-used applications.
Backup information must be protected to ensure its confidentiality and integrity. Digital signatures and cryptographic hashes
can be employed to protect the integrity of information system backups. Reference SC-13, Cryptographic Protection. An
organizational assessment of risk guides the use of encryption for protecting backup information. Reference SC-28,
Protection of Data at Rest.
The organization:
Conducts backups of user-level information contained Click here to enter text.

in the information system weekly
Conducts backups of system-level information in the Click here to enter text.

information system weekly
Conduct backups of information system Click here to enter text.

documentation including security-related
documentation when created or received, when
76

updated, and as required by system baseline
configuration changes in accordance with the
contingency plan.
Protects the confidentiality, integrity, and availability of Click here to enter text.
backup information at storage locations
10.7.7 CP-10 – Information System Recovery and Reconstitution

Implemented Planned
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption,
compromise, or failure.
Recovery and reconstitution operations reflect mission and business priorities, recovery point/time and reconstitution
objectives, and established organizational metrics consistent with contingency plan requirements. Reconstitution includes
the deactivation of any interim information system capabilities that may have been needed during recovery operations.
Reconstitution also assessments of fully restored information system capabilities, reestablishment of continuous monitoring
activities, potential information system reauthorizations, and activities to prepare the systems against future disruptions,
compromises, or failures.
Organizations shall ensure all backup and restoration hardware, firmware and software are adequately protected.
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption,
compromise, or failure.
77
IDENTIFICATION AND AUTHENTICATION (IA)

10.8.1 IA – 1 – Identification and Authentication Policy and Procedures

Implemented Planned
The organization:
a. Develops, documents, and disseminates to all personnel:
1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities,
2. Procedures to facilitate the implementation of the identification and authentication policy and
associated identification and authentication controls; and
1. Identification and authentication policy at least annually; and
2. Identification and authentication procedures at least annually.
10.8.2 IA-2 – Identification and Authentication (Organizational Users) (+ Classified)

Implemented Planned
Information systems must uniquely identify and authenticate organizational users (or processes acting on behalf of
organizational users).
78

Identification is an act or process that presents an identifier to a system so the system can recognize a system entity (e.g.,
user, process, or device) and distinguish that entity from all others. Authentication is the act or process of verifying the
identity of a user, process, or device, often as a prerequisite to allowing access to resources in an IS. Authentication of user
identities is accomplished through the use of passwords, tokens, biometrics, or in the case of multifactor authentication,
some combination thereof.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of
employees (e.g., contractors). In addition to identifying and authenticating users at the information system level (i.e., at
logon), identification and authentication mechanisms may be employed at the application level, when deemed necessary, to
provide increased information security.
Organizational users include organizational employees or individuals the organization deems to have equivalent status of
employees (e.g., contractors). In addition to identifying and authenticating users at the information system level (i.e., at
logon), identification and authentication mechanisms may be employed at the application level, when deemed necessary, to
provide increased information security. In general, group accounts are prohibited. Users must be uniquely identified and
authenticated, unless an exception has been documented in the SSP and approved by the AO, such as in the case of group
accounts.
10.8.2.1 IA-2(1) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (-
Standalone Overlay)
Implemented Planned
Information systems shall implement multi-factor authentication for all network access to privileged accounts.
10.8.2.2 IA-2(2) – Identification and Authentication: Network Access to Non-Privileged Accounts (+ Classified Overlay) (-
Standalone Overlay)
Implemented Planned
79

Information systems shall implement multi-factor authentication for all network access to non-privileged accounts.
10.8.2.3 IA-2(3) – Identification and Authentication: Local Access to Privileged Accounts (- Standalone Overlay)
Implemented Planned
Information systems shall implement multi-factor authentication for all local access to privileged accounts.
10.8.2.4 IA-2(4) – Identification and Authentication: Local Access to Non-Privileged Accounts (- Standalone Overlay)
Implemented Planned
Information systems shall implement multi-factor authentication for all local access to non-privileged accounts.
10.8.2.5 IA-2(5) – Identification and Authentication: Group Authentication (- Standalone Overlay)

80

Implemented Planned
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is
employed. Group authentication is discouraged for systems and must be approved by the AO. This control supports insider
threat mitigation.
10.8.2.6 IA-2(8) – Identification and Authentication: Network Access to Privileged Accounts – Replay Resistant (- Standalone
Overlay)
Implemented Planned
Information systems shall implement multi-factor authentication and use replay-resistant authentication mechanisms for all
network access to privileged accounts. An authentication process is resistant to replay attacks if it is impractical to achieve a
successful authentication by recording and replaying a previous authentication message. Techniques used to address this
include protocols that use random or non-repeating values (nonces) or challenges and time synchronous or challenge-
response one-time authenticators.
10.8.2.7 IA-2(9) – Identification and Authentication (Organizational Users): Network Access to Non-Privileged Accounts – Replay
Resistant (- Standalone Overlay)
81
Implemented Planned
The information system implements replay-resistant authentication mechanisms for network access to non-privileged
accounts.
10.8.2.8 IA-2(11) – Identification and Authentication (Organizational Users): Remote Access-Separate Device (- Standalone
Implemented Planned
The information system implements multifactor authentication for remote access to privileged and non-privileged accounts
such that one of the factors is provided by a device separate from the system gaining access and the device meets
organization-defined strength of mechanism requirements.
10.8.2.9 IA-2(12) – Identification and Authentication (Organizational Users): Acceptance of PIV Credentials (- Standalone
Implemented Planned
The information system accepts and electronically verifies Personal Identity Verification (e.g., CAC) credentials.
82

10.8.3 IA-3 – Device Identification and Authentication (- Standalone Overlay)

Implemented Planned
Information systems shall uniquely identify and authenticate all types of devices before establishing a network connection.
This includes, but is not limited to, servers, workstations, printers, routers, firewalls, VoIP telephones, video and VoIP
(VVOIP), desktop video teleconference (VTC) devices, etc. This control supports insider threat mitigation.
Device identification and authentication provides for unique identification and authentication of devices on a LAN and/or
WAN by using, for example, Media Access Control (MAC) or Transmission Control Protocol/Internet Protocol (TCP/IP)
addresses or an organizational authentication solution such as Institute of Electrical and Electronics Engineers (IEEE) 802.1x
and Extensible Authentication Protocol (EAP), Remote Authentication Dial In User Service (RADIUS) server with EAP-
Transport Layer Security (TLS) authentication, or Kerberos.
This control can be tailored out for standalone IS. Implementing this control ensures that un-authenticated devices, e.g.,
mobile devices and personal laptop computers, are not able to make a connection to an information system containing PII.
10.8.3.1 IA-3(1) – Device Identification and Authentication: Cryptographic Bi-Directional Authentication (- Standalone Overlay)
Implemented Planned
The information system authenticates all types of devices before establishing a connection using bidirectional
authentication that is cryptographically based. Bidirectional authentication provides stronger safeguards to validate the
identity of other devices for connections that are of greater risk (e.g., remote connections).
A local connection is any connection with a device communicating without the use of a network. A network connection is
any connection with a device that communicates through a network (e.g., local area or wide area network, Internet). A
83

remote connection is any connection with a device communicating through an external network (e.g., the Internet).
Bidirectional authentication provides stronger safeguards to validate the identity of other devices for connections that are
of greater risk (e.g., remote connections). This control supports insider threat mitigation.
10.8.3.2 IA-4 – Identifier Management

Implemented Planned
Individual user identifiers (USERIDs) are used for identification of users on information systems, which shall be standardized
(e.g., last name first initial, first.lastname) for each system. IA-2 addresses the use of unique identifiers.
The organization manages information system identifiers by:
Receiving authorization from appropriate personnel to Click here to enter text.
assign an individual, group, role, or device identifier
Selecting an identifier that identifies an individual, group, Click here to enter text.
role, or device
Assigning the identifier to the intended individual, group, Click here to enter text.
role, or device
Preventing reuse of identifiers Click here to enter text.
Disabling the identifier after a period not to exceed 90 Click here to enter text.
days of inactivity [30 days for Army] for individuals,
groups, or roles; not appropriate to define for device
identifiers; e.g., media access control (MAC), IP
addresses, or device unique token identifiers.
10.8.3.3 IA-4(4) – Identifier Management: Identify User Status (- Standalone Overlay)

Implemented Planned
84

The organization manages individual identifiers by uniquely identifying each individual as a contractor, government (civilian,
military), and/or foreign nationality as appropriate. Examples: john.smith.ctr, john.smith.civ, john.smith.uk
Characteristics identifying the status of individuals include, for example, contractors and foreign nationals. Identifying the
status of individuals by specific characteristics provides additional information about the people with whom organizational
personnel are communicating. For example, it might be useful for a government employee to know that one of the
individuals on an email message is a contractor.
10.8.4 IA-5 – Authenticator Management

Implemented Planned
Passwords must meet standards for strong passwords. Examples of situations that may require tailoring include, but are not
limited to:
• The password mechanism does not support strong password requirements.
• The password is one factor of an authorized, multifactor authentication means.
• The password is used by a system process (as opposed to an interactive user session).
Shared (Group) Password [IA-5.a & .j] An account password shared among a group of users (i.e., group account) shall be
specifically documented in the SSP and authorized for use by the AO or designee. If specifically authorized, shared account
passwords must not knowingly be the same for any other account and shall be changed if a user leaves the group.
The organization manages IS authenticators by:
Verifying, as part of the initial authenticator distribution, Click here to enter text.
the identity of the individual, group, role, or device
receiving the authenticator
Establishing initial authenticator content for Click here to enter text.
authenticators defined by the organization
Ensuring that authenticators have sufficient strength of Click here to enter text.
mechanism for their intended use
Establishing and implementing administrative Click here to enter text.
procedures for initial authenticator distribution, for
lost/compromised or damaged authenticators, and for
revoking authenticators
Changing default content of authenticators prior to Click here to enter text.
information system installation
85

Establishing minimum and maximum lifetime Click here to enter text.
restrictions and reuse conditions for authenticators
Changing/refreshing authenticators within a time period Click here to enter text.
not to exceed 90 days for passwords; system defined
time period for other authenticator types
Protecting authenticator content from unauthorized Click here to enter text.
disclosure and modification
Requiring individuals to take, and having devices Click here to enter text.
implement, specific security safeguards to protect
authenticators
Changing authenticators for group/role accounts when Click here to enter text.
membership to those accounts changes
10.8.4.1 IA-5(1) – Authenticator Management: Password-Based Authentication

Implemented Planned
The IS for password-based authentication:
Enforces minimum password complexity for IS of at least 14 characters in length for non-privileged accounts and 15
characters in length for privileged accounts; contains a string of characters that does not include the user’s account name or
full name; includes one or more characters from at least 3 of the following 4 classes: Uppercase, lowercase, numerical &
special characters;
Enforces at least a minimum of four changed characters;
Stores and transmits only cryptographically-protected passwords;
Enforces password minimum and maximum lifetime restrictions of at least 1 day lifetime minimum and 90 day lifetime
maximum;
Prohibits password reuse for a minimum of 24 password generations;
Allows the use of a temporary password for system logons with an immediate change to a permanent password.
These password requirements are for English display language. Other display languages should use equivalent password
strength requirements. Passwords shall not be stored on an information system in clear text. An authorized, non-reversible,
encryption algorithm (e.g., hash algorithm) shall be used to transform a password into a format that may be stored in a
password file for use during subsequent password-validation. Passwords and password files, when transmitted using
electronic means, shall be encrypted using an authorized algorithm.
An approved product vendor’s current password hashing algorithm is an authorized algorithm when used on a protected
network. When possible, systems shall be configured to automatically notify the user of the requirement to change their
password at least fourteen (l4) days before its expiration. The minimum age restriction does not apply to the initial change
of a password, help desk password reset, or when compromise of a password is known or suspected.
86
10.8.4.2 IA-5(2) – Authenticator Management: PKI-Based Authentication (- Standalone Overlay)

Implemented Planned
Information systems that use PKI-based authentication shall (a) validate certificates by constructing and verifying a
certification path to an accepted trust anchor including checking certificate status information; (b) enforce authorized access
to the corresponding private key; (c) Map the authenticated identity to account of the individual or group; and (d)
Implement a local cache of revocation data to support path discovery and validation in cases of inability to access revocation
information via the network.
Organizations shall ensure that remote sessions for accessing information systems employ PKI certificates issued by a
government-approved registration authority and are audited. If PKI is not feasible, security measures above and beyond
standard bulk or session layer encryption shall be implemented (e.g., Secure Shell or VPN with blocking mode enabled) [AC-
17(7)].
Control not required for NISP system.
10.8.4.3 IA-5(4) – Authenticator Management: Automated Support for Password Strength Determination
Implemented Planned
The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy
requirements as defined in IA-5 (1).
Passwords should be sufficiently strong to resist “password cracking” and other types of attacks intended to discover users’
passwords. Information resources should use automated password filters to verify that passwords are created consistent
with this document. Automated tools should be accessible to assist users with checking password strengths and generating
passwords. A password cracking method shall be used only with written AO authorization providing explicit direction for use
during vulnerability testing. Only authorized personnel will have access to and use password cracking tools. Reference IA-
5(1) (a) and (b) for password requirements.
87

10.8.4.4 IA-5(7) – Authenticator Management: No Embedded Unencrypted Static Authenticators

Implemented Planned
The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or
stored on function keys.
10.8.4.5 IA-5(8) – Authenticator Management: Multiple Information System Accounts

Implemented Planned
The organization implements precautions including advising users that they must not use the same password for any of the
following: Different systems with domains of differing classification levels; Access to different systems within one
classification level (e.g., internal agency network and Intelink).; Different accounts with different privilege levels (e.g., user,
administrator) to manage the risk of compromise due to individuals having accounts on multiple information systems.
10.8.4.6 IA-5(11) – Authenticator Management: Hardware Token-Based Authentication – NEW BASELINE

Implemented Planned
88

The information system, for hardware token-based authentication, employs mechanisms that satisfy DoD CAC
requirements.
10.8.4.7 IA-5(13) – Authenticator Management: Expiration of Cached Authenticators (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The information system prohibits the use of cached authenticators after one (1) hour.
10.8.4.8 IA-5(14) – Authenticator Management: Managing Content of PKI Trust Stores (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the
content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
89
10.8.5 IA-6 – Authenticator Feedback

Implemented Planned
The information system obscures feedback of authentication information during the authentication process to protect the
information from possible exploitation/use by unauthorized individuals.
Information systems shall not display any password on a terminal, monitor, or printer when a user enters a password to gain
access. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication
information.
10.8.6 IA-7 – Cryptographic Module Authentication

Implemented Planned
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements
of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such
authentication. FIPS 140-2 validated cryptographic modules are often used to protect unclassified sensitive information in
computer and telecommunication systems (including voice systems). Classified information systems use NSA-validated
cryptographic modules.
10.8.7 IA-8 – Identification and Authentication (Non-Organizational Users) (- Standalone Overlay)

After a relevance determination, this control can be tailored out for standalone IS with single users.
Implemented Planned
90

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of
non-organizational users).
10.8.7.1 IA-8(1) – Identification and Authentication (Non-Organizational Users): Acceptance of PIV Credentials from Other
Agencies (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The information system accepts and electronically verifies Personal Identity Verification (PIV) (e.g., CAC) credentials from
other DoD and/or federal agencies.
10.8.7.2 IA-8(2) – Identification and Authentication (Non-Organizational Users): Acceptance of Third-Party Credentials (-
Standalone Overlay) – NEW BASELINE
Implemented Planned
The information system accepts only FICAM-approved third-party credentials.
Third-party credentials are those credentials issued by nonfederal government entities approved by the Federal Identity,
Credential, and Access Management (FICAM) Trust Framework Solutions initiative. Approved third-party credentials meet or
exceed the set of minimum federal government-wide technical, security, privacy, and organizational maturity requirements.
This allows federal government relying parties to trust such credentials at their approved assurance levels.
91

10.8.7.3 IA-8(3) – Identification and Authentication (Non-Organizational Users): Use of FICAM Approved Products (- Standalone
Implemented Planned
The organization employs only FICAM-approved information system components in Program IS to accept third-party
credentials. NOTE: In lieu of FICAM-approved products, DoD shall use DoD-approved products.
10.8.7.4 IA-8(4) - Identification and Authentication (Non-Organizational Users): Use of FICAM Issued Profiles (- Standalone
Implemented Planned
The IS conforms to FICAM-issued profiles. NOTE: In lieu of FICAM-approved profiles, DoD shall use DoD-approved
implementations.
92
INCIDENT RESPONSE (IR)

10.9.1 IR-1 – Incident Response Policy and Procedures
requirement for the Program to develop additional policy to meet the -1 control.IA-8(4)
Implemented Planned
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities, management
2. Procedures to facilitate the implementation of the incident response policy and associated incident
response controls; and
1. Incident response policy at least annually; and
2. Incident response procedures at least annually.
10.9.2 IR-2 – Incident Response Training

Implemented Planned
Incident recognition and reporting training shall be included as part of both general and privileged user awareness training. See also
Security Training [AT-3]. General users must be trained on what constitutes suspicious activity as it applies to the system, other users, and
unauthorized individuals internal and external to the organization. General users must also know to whom and when to report suspicious
93

activity and to keep discussions about potential incidents within the incident response chain of command.
Privileged users should be trained in preserving the scene, preserving the data (volatile and nonvolatile), chain of custody, and reporting
requirements. Privileged users frequently move from the containment phase to eradication compromising data necessary in prosecuting a
potentially criminal case. Privileged users must also know who to contact for assistance in responding to an incident, e.g., the organizations
IA point of contact. Additional incident response related training may be required depending on the system, environment, and mission
criticality.
The organization provides incident response training to information system users consistent with assigned roles and responsibilities:
Within 30 working days of assuming an incident response role or Click here to enter text.
responsibility
When required by information system changes Click here to enter text.
At least annually thereafter. Click here to enter text.
10.9.3 IR-3 – Incident Response Testing

Implemented Planned
The organization tests the incident response capability for the information system at least annually using appropriate tests
to determine the incident response effectiveness and documents the results.Click here to enter text.
10.9.3.1 IR-3(2) – Incident Response Testing and Exercises: Coordination with Related Plans – NEW BASELINE
10.9.4 IR3-(2) INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS

Implemented Planned
The organization coordinates incident response testing with organizational elements responsible for related plans.
94
10.9.5 IR-4 – Incident Handling

Implemented Planned
Please enter facility specific Incident Response Info.
The organization:
Implements an incident handling capability for security Click here to enter text.
incidents that includes preparation, detection and
analysis, containment, eradication, and recovery
Coordinates incident handling activities with Click here to enter text.
contingency planning activities
Incorporates lessons learned from ongoing incident Click here to enter text.
handling activities into incident response procedures,
training, and testing/exercises, and implements the
resulting changes accordingly
10.9.5.1 IR-4(1) – Incident Handling: Automated Incident Handling Processes

Implemented Planned
The organization employs automated mechanisms to support the incident handling process. While it is not cost effective
for most organizations to maintain an online incident management system, such as Remedy, there are functions that can be
automated to support the incident handling process. For instance mechanisms in support of identification or detection and
analysis include:
 System audit logs that capture unsuccessful attempts to log into the system, attempts to gain access to
unauthorized folders/files, attempts to introduce unauthorized software or media.
 Device audit logs.
 IDS, content filtering applications, etc.
95

10.9.5.2 IR-4(3) – Incident Handling: Continuity of Operations

Implemented Planned
The organization identifies classes/categories as defined in CNSS_____ to define actions required in the event of an incident
to ensure continuation of organizational missions and business functions.
10.9.5.3 IR-4(4) – Incident Handling: Information Correlation

Implemented Planned
The organization correlates incident information and individual incident responses to achieve an organization-wide
perspective on incident awareness and response.
10.9.5.4 IR-4(6) – Incident Handling: Insider Threats – Specific Capabilities – NEW BASELINE
Implemented Planned
96

The organization implements incident handling capability for insider threats.
10.9.5.5 IR-4(7) – Incident Handling: Insider Threats – Intra-Organization Coordination – NEW BASELINE
Implemented Planned
The organization coordinates incident handling capability for insider threats across the Oversight Team.
10.9.5.6 IR-4(8) – Incident Handling: Correlation with External Organization – NEW BASELINE
Implemented Planned
The organization coordinates with organizations whose data has been involved in an incident to correlate and share
incident-related information to achieve a cross-organization perspective on incident awareness and more effective incident
responses.
97
10.9.6 IR-5 – Incident Monitoring

Implemented Planned
The organization tracks and documents information system security incidents.
Collecting user statements of those involved in incidents with information systems is also required in order to completely
document the details of an incident. While it is not cost effective for most organizations to maintain an online incident
management system, there are functions that can be automated to support the incident handling process. For instance
mechanisms in support of identification or detection and analysis include:
 System audit logs that capture unsuccessful attempts to log into the system, attempts to gain access to
unauthorized folders/files, attempts to introduce unauthorized software or media.
 Device audit logs.
 IDS, content filtering applications, etc.
10.9.7 IR-6 – Incident Reporting

Implemented Planned
In the case of a suspected incident, containment procedures must begin immediately. However, GCA/Confirmation of the
classification of the information spilled is required promptly so decisions concerning scale of containment and eradication
efforts can be scoped, e.g., data spilled onto another system tends to be (although not always) less critical than data spilled
to an unclassified system.
The ISSM/ISSO is responsible for reporting incidents to security as well as to the AO,. The ISSM/ISSO must also report the
incident to the system DAO who in turn reports it to the AO. [IR-6.b] If an activity from another organization is involved, the
Director of Security will provide proper notification to the organization.
Initial/interim reporting should begin as soon as possible after knowledge of the incident and should continue until the
incident is resolved.
Organizations will continue to report until the incident is closed.
Requires personnel to report suspected security Click here to enter text.

incidents to the organizational incident response
98

capability within 24 hours .
Reports security incident information to the appropriate Click here to enter text.
agency IAW AR 380-381
10.9.7.1 IR-6(1) – Incident Reporting: Automated Reporting

Implemented Planned
The organization employs automated mechanisms to assist in the reporting of security incidents.
Differing types of automated mechanisms can meet the intent of IR-6(1) This mechanism may be a web-based form that is
populated by the ISSM/ISSO alerting the appropriate individuals, or an email process that includes a preset distribution
group to ensure all key individuals are alerted in the event of an incident, e.g., ISSM/ISSO, and other designaed personnel.
Where a email distribution is used, the responder should be cautious unclassified information in the incident description in
the initial report. The classified report shall be protected in accordance with the NISPOM requirements.
10.9.7.2 IR-6(2) – Incident Reporting: Vulnerabilities Related to Incidents

Implemented Planned
ISSM shall report all information system-related incidents to designated personnel providing the response determination,
guidance to the site as needed. This provides an organization-wide awareness of incidents, a broader capability for
identifying trends and vulnerabilities, and the potential to share information with other organizations in the community.
This control supports insider threat mitigation.
99
10.9.8 IR-7 – Incident Response Assistance

Implemented Planned
The organization provides an incident response support resource, integral to the organizational incident response capability
that offers advice and assistance to users of the IS for the handling and reporting of security incidents.
10.9.8.1 IR-7(1) – Incident Response Assistance: Automation Support for Availability of Information
Implemented Planned
The organization employs automated mechanisms for increase the availability of incident response-related information and
support. Automated mechanisms for incident response related information and support may be employed through a
website, database, or other automated means.
This control is met using email.
10.9.8.2 IR-7(2) – Incident Response Assistance: Coordination with External Providers

Implemented Planned
The external providers for incident response for IS incidents are the. ISSM/ISSOs will provide local incident response team
POCs to their POC. The names and contact information may be provided in the SSP. This control supports insider threat
100

mitigation.
This control can be met using email.
10.9.9 IR-8 – Incident Response Plan

Implemented Planned
Each organization shall develop an incident response plan specific to the system, site, and/or installation as appropriate,
which:
 Provides a roadmap for implementing its incident response capability.
 Describes the structure and organization of the incident response capability.
 Provides a high-level approach for how the incident response capability fits into the overall Enterprise.
 Meets unique requirements related to mission, size, structure, and functions.
 Defines reportable incidents.
 Provides metrics for measuring the incident response capability.
 Defines the resources and management support needed to effectively maintain and mature the incident response
capability.
 Is reviewed and approved by the AO.
 Identifies how the organization will test (i.e. table-top, hot wash, etc.)
Copies of the incident response plan shall be distributed to all personnel with a role or responsibility for implementing the
plan. The incident response plan shall be reviewed at least annually (incorporating lessons learned from past incidents) and
revised to address system/organizational changes or problems encountered during plan implementation, execution, or
testing. Incident response plan changes shall be communicated to all personnel with a role or responsibility for
implementing the plan not later than 30 days after the change is made. The incident response plan shall be protected from
unauthorized disclosure and modification.
10.9.10 IR-9 – Information Spillage Response (+ Classified Overlay) – NEW BASELINE

Implemented Planned
101

The organization responds to information spills by:
Identifying specific information involved in the Click here to enter text.

information system contamination
Alerting designed personnel of the information spill Click here to enter text.
using a method of communication not associated with
the spill
Isolating the contamination information system or Click here to enter text.
system component
Eradicating the information from the contaminated Click here to enter text.
information system or component
Identifying other IS or system components that may Click here to enter text.
have been subsequently contaminated
Performing actions as required by AR 380-381 Click here to enter text.
10.9.10.1 IR-9(1) – Information Spillage Response: Responsible Personnel (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization assigns personnel and associated roles with responsibility for responding to information spills.
10.9.10.2 IR-9(2) – Information Spillage Response: Training (+ Classified Overlay) – NEW BASELINE
Implemented Planned
102

The organization provides information spillage response training annually.
10.9.10.3 IR-9(4) – Information Spillage Response: Exposure to Unauthorized Personnel (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization employs security safeguards for personnel exposed to information not within assigned access
authorizations, such as making personnel aware of federal laws, directives, policies, and/or regulations regarding the
information and the restrictions imposed based on exposure to such information.
10.9.11 IR-10 – Integrated Information Security Cell (+ Privacy Overlay) – NEW BASELINE
this control.
Implemented Planned
The organization establishes an integrated team of forensic/malicious code analysts, tool developers and real time
operations personnel.
103
MAINTENANCE (MA)
10.10.1 MA-1 – System Maintenance Policy and Procedures
10.10.2 MA-2 – Controlled Maintenance

Implemented Planned
IS are particularly vulnerable to security threats during maintenance activities. The level of risk is directly associated with the
maintenance person’s clearance and access status. A maintenance person may be uncleared or may not be cleared to the
level of classified information contained on the IS. Properly cleared personnel working in the area must maintain a high level
of security awareness at all times during IS maintenance activities. Reference MA-5(1) for escort requirements.
All maintenance activities should be performed on-site whenever possible. Removal of an IS or system components from a
facility for maintenance or repairs requires approval coordination with the individual responsible for changes to the system,
e.g., ISSM/ISSO and the individual who approves removal of equipment from the facility.
Any maintenance changes that impact the security of the system shall receive a configuration management review and
documentation update, as appropriate [MA-2.e]. See also [CM-3].
Organizations shall record all information system repairs and maintenance activity in a maintenance log for the life of the IS
and retain the log for a minimum of one (1) year after equipment decommissioning or disposal.
The organization:
Schedules, performs, documents, and reviews records of Click here to enter text.
maintenance and repairs on information system
components in accordance with manufacturer or vendor
specifications and/or organizational requirements
Approves and monitors all maintenance activities, Click here to enter text.
whether performed on site or remotely and whether the
equipment is serviced on site or removed to another
location
Requires that the ISSM/ISSO or designee explicitly Click here to enter text.
approve the removal of the information system or system
components from organizational facilities for off-site
maintenance or repairs
Sanitizes equipment to remove all information from Click here to enter text.
associated media prior to removal from organizational
facilities for off-site maintenance or repairs
Checks all potentially impacted security controls to verify Click here to enter text.
that the controls are still functioning properly following
maintenance or repair actions
Includes date and time of maintenance, name of Click here to enter text.
individual performing the maintenance, name of escort (if
appropriate), a description of the maintenance
performed, and a list of equipment removed or replaced
to include ID numbers (if applicable) in organization
104

maintenance records or maintenance log
10.10.3 MA-3 – Maintenance Tools

Implemented Partially implemented Planned
The organization approves, controls, and monitors information system maintenance tools. Devices with transmit capability
(e.g., IR, RF) shall remain outside the facility unless explicitly approved by the AO.
10.10.3.1 MA-3(1) – Maintenance Tools: Inspect Tools

Implemented Planned
The organization inspects maintenance tools carried into a facility by maintenance personnel for improper or unauthorized
modifications.
10.10.3.2 MA-3(2) – Maintenance Tools: Inspect Media

Implemented Planned
105

The organization checks media containing diagnostic and test programs for malicious code before the media are used in an
IS. If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the
media contain malicious code, the incident is handled consistent with organizational incident handling policies and
procedures.
10.10.3.3 MA-3(3) – Maintenance Tools: Prevent Unauthorized Removal (+ Classified Overlay)

Implemented Planned
Media without write protection that is brought in for maintenance must remain within the facility and must be stored and
controlled at the classification level of the highest IS to which the media was introduced. Prior to entering the facility,
maintenance personnel must be advised that they will not be allowed to remove media from the facility. If deviation from
this procedure is required under special circumstances, it must be documented locally for review and approval by the
ISSM/ISSO.
Each time the diagnostic test media is introduced into the facility it must undergo stringent integrity checks (e.g., virus
scanning, checksum) prior to being used on the IS, and before leaving the facility, the media must be checked to assure that
no classified information has been written on it. See also MP-5.
Organizations are responsible for preventing the unauthorized removal of maintenance equipment from the facility. This
can be accomplished by any of the following:
 Verifying there is no organizational information contained on the equipment.
 Sanitizing or destroying the equipment.
 Retaining the equipment within the facility.
 Obtaining approval from the ISSM/ISSO explicitly authorizing removal of the equipment from the facility.
10.10.4 MA-4 – Non-Local Maintenance (- Standalone Overlay)

Implemented Planned
106

Non-local maintenance and diagnostic activities are those activities conducted by individuals communicating through a
network outside of the system’s accreditation boundary. Non-local includes devices shipped out for repair or online ‘remote’
maintenance.
The organization:
Approves and monitors nonlocal maintenance and Click here to enter text.
diagnostic activities
Allows the use of nonlocal maintenance and diagnostic Click here to enter text.
tools only as consistent with organizational policy and
documented in the security plan for the information
system
Employs strong authenticators in the establishment of Click here to enter text.
nonlocal maintenance and diagnostic sessions
Maintains records for nonlocal maintenance and Click here to enter text.
diagnostic activities
Terminates session and network connections when Click here to enter text.
nonlocal maintenance is completed
10.10.4.1 MA-4(1) – Non-Local Maintenance: Auditing and Review

Implemented Planned
The organization audits nonlocal maintenance and diagnostic sessions and reviews the records of maintenance and
diagnostic sessions at least quarterly.
10.10.4.2 MA-4(3) – Non-Local Maintenance: Comparable Security/Sanitization (- Standalone Overlay)

Implemented Planned
107

If non-local maintenance is required from a service or organization that does not provide the same level of security required
for the IS being maintained, the system must be sanitized (see the Media Protection (MP) section) and placed in a
standalone configuration prior to establishment of the remote connection. If the system cannot be sanitized (e.g., due to a
system crash), non-local maintenance is not permitted.
The organization:
 Requires that nonlocal maintenance and diagnostic services be performed from an information system that
implements a security capability comparable to the capability implemented on the system being serviced; or
 Removes the component to be serviced from the information system and prior to nonlocal maintenance or
diagnostic services, sanitizes the component (with regard to organizational information) before removal from
organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to
potentially malicious software) before reconnecting the component to the information system.
10.10.4.3 MA-4(6) – Non-Local Maintenance: Cryptographic Protection (- Standalone Overlay)

Implemented Planned
The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal
maintenance and diagnostic communications. Strong identification and authentication techniques (i.e., two-factor
authentication) shall be employed in the establishment of non-local maintenance and diagnostic sessions.
10.10.4.4 MA-4(7) – Non-Local Maintenance: Remote Disconnect Verification (- Standalone Overlay)

Implemented Planned
108

The information system implements remote disconnect verification at the termination of non-local maintenance and
diagnostic sessions.
10.10.5 MA-5 – Maintenance Personnel

.
Implemented Planned
If appropriately cleared personnel are unavailable to perform maintenance, an uncleared or lower-cleared person may be
employed provided a fully cleared, trained, and technically qualified escort monitors and records their activities in a
maintenance log.
The organization:
Establishes a process for maintenance personnel Click here to enter text.
authorization and maintains a list of authorized
maintenance organizations or personnel
Ensures that non-escorted personnel performing Click here to enter text.
maintenance on the information system have required
access authorizations
Designates organizational personnel with required access Click here to enter text.
authorizations and technical competence to supervise the
maintenance activities of personnel who do not possess
the required access authorizations
10.10.5.1 MA-5(1) – Maintenance Personnel: Individuals without Appropriate Access (+ Classified Overlay)
Implemented Planned
109

The organization:
 Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not
U.S. citizens, that include the following requirements:
 Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are
escorted and supervised during the performance of maintenance and diagnostic activities on the information
system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and
are technically qualified;
 Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access
authorizations, clearances or formal access approvals, all volatile information storage components within the
information system are sanitized and all nonvolatile storage media are removed or physically disconnected from
the system and secured; and
 Develops and implements alternate security safeguards in the event an information system component cannot be
sanitized, removed, or disconnected from the system.
10.10.5.2 MA-5(2) – Maintenance Personnel: Security Clearances for Classified Systems

Implemented Planned
Appropriately cleared personnel who perform maintenance or diagnostics on IS do not necessarily require an escort.
Organizations are responsible for ensuring maintenance personnel are familiar with organizational security procedures to
assure the proper security procedures are being followed.
The organization ensures that personnel performing maintenance and diagnostic activities on an IS processing, storing, or
transmitting classifying information possess security clearances and formal access approvals for at least the highest
classification level and compartments on the IS.
10.10.5.3 MA-5(3) – Maintenance Personnel: Citizenship Requirements for Classified Systems

Implemented Planned
110

The organization ensures that personnel performing maintenance and diagnostic activities on an IS processing, storing, or
transmitting classified information are U.S. citizens.
10.10.5.4 MA-5(4) – Maintenance Personnel:

Implemented Planned
The organization ensures that only cleared personnel are used to conduct maintenance and diagnostic activities on an IS
processing, storing, or transmitting classified information when the IS are jointly owned and that approvals are documents
within MOAs.
111
MEDIA PROTECTION (MP)

10.11.1 MP-1 – Media Protection Policy and Procedures
10.11.2 MP-2 – Media Access (+ Classified)

Implemented Planned
The organization restricts access to all types of removable digital and non-digital media including, but not limited to, hard
disks, floppy disks, zip drives, CDs, DVDs, thumb drives, pen drives, flash drives, and similar universal serial bus (USB) storage
devices in accordance with the Insider Threat Mitigation Guidance. A Two-Person Integrity (TPI) Media Custodian will be
designated in writing and will be responsible for implementing locally defined security measures, i.e. media sign-out logs,
media accountability logs, etc.
Where appropriate, all portable media with a moderate or high confidentiality rating shall be encrypted using either NSA
approved.
All digital media, and the use of such media, must be authorized by the designee, prior to being introduced. Organizations
are required to ensure the local facility SOP defines personnel/roles and security measures used to control access to media
(i.e. centralized safe, media sign-out logs, media accountability logs, entry/exit procedures, etc.). Maintain a list of
authorized users and their respective authorized use privileges. Personally-owned thumb drives, CDs, and DVDs are
prohibited from entering accredited facilities without approval.
10.11.2.1 MP-2(2) – Media Access: Cryptographic Protection WITHDRAWN Incorporated Into SC-28
10.11.3 MP-3 – Media Marking (+ Classified)

Implemented Planned
All information storage media must be appropriately marked and protected to prevent the loss of information through poor
security procedures. Likewise, to prevent security compromises, all output products (to include printed material) must be
appropriately marked and protected. Each user is ultimately responsible for the marking, handling, and storage of media and
paper products within their assigned area of responsibility. In addition, security markings will be displayed on all servers,
server cabinets, desktops/laptops, removable/external hard drives, monitors and printers. Thin clients must also be marked.
112

In the case of multi-level devices the security marking shall reflect the highest classification level authorized to be processed.
All IS storage media shall have external security markings clearly indicating the classification of the information. All
information storage media will be marked. [MP-3(a)] See the NISPOM for additional media marking information.
The organization:
Marks IS media indicating the distribution limitations, Click here to enter text.
handling caveats, and applicable security markings (if any)
of the information
Exempts new, unused, factory-sealed media from marking Click here to enter text.
as long as the media remains within the locked media
cabinet or storage area
10.11.4 MP-4 – Media Storage (+ Classified)

.
Implemented Planned
All organizations must comply with the Insider Threat Mitigation guidance.
Commercial software maintained within the facility by IT personnel and used to update systems or maintain proof of license
or purchase may be handled separately from the facility tracking log or system. This media must be locked away in a
separate container or cabinet and treated as unclassified provided the write protection or verification of closed session was
verified by IT personnel once it was used in a classified computer system. Commercial media still in shrink-wrap may remain
this way and be secured in the same cabinet as other commercial media.
All media shall be accounted for under the direct management of the Top Secret Control Officer (TSCO).
Each organization will audit information storage media accountability records for accuracy at least annually or as specified
by the AO. The results of these audits shall be documented in an internal report to remain on file within the organization for
at least one (1) year or one review cycle whichever is longer. Organizations must be able to demonstrate positive control
and accounting of information storage media when reviewed by inspection authorities. Discrepancies shall be reported to
the ISSM/ISSO for further reporting to the AO or designee, as required.
The organization:
Physically controls and securely stores all digital media Click here to enter text.
regardless of classification and/or non-digital media
containing classified information within an area and/or
contained approved for processing and storing media
based on the classification of the information contained
within the media
Protects information system media until the media are Click here to enter text.
destroyed or sanitized using approved equipment,
techniques, and procedures
113
10.11.5 MP-5 – Media Transport (+ Classified)

Implemented Planned
Approved procedures shall be implemented to address mobile devices traveling to and returning from a location that the
organization deems to be of significant risk. Information should be transported electronically whenever possible. When
electronic transport is not possible, movement of all media shall be coordinated through the appropriate security personnel
(ISSM/ISSO.) following approved procedures. [MP- 5(a)]
Activities associated with the transport of media shall be documented by the organization. Appropriate entries in the
organization’s media accounting system shall be made. [MP-5(b)]
The organization:
Protects and controls all types of digital and non-digital Click here to enter text.
media during transport outside of controlled areas using
AO approved security measures, to include courier and
digital media encryption
Maintains accountability for information system media Click here to enter text.
during transport outside of controlled areas
Documents activities associated with the transport of Click here to enter text.
information system media
Restricts the activities associated with the transport of Click here to enter text.
information system media to authorized personnel.
Transport of media shall be restricted to an authorized
custodian by means of a courier card\letter
10.11.5.1 MP-5(3) – Media Transport: Custodians (+ Classified Overlay) – NEW

Implemented Planned
The organization employs an identified custodian during transport of information system media outside of controlled areas.
Transport of media shall be restricted to an authorized custodian by means of a courier card/letter.
114
10.11.5.2 MP-5(4) – Media Transport: Cryptographic Protection (+ Classified)

.
Implemented Planned
The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information
stored on digital media during transport outside of controlled areas. This control enhancement applies to both portable
storage devices (e.g., USB memory sticks, compact disks, digital video disks, external/removable hard disk drives) and mobile
devices with storage capability (e.g., smart phones, tablets, E-readers). Cryptographic mechanisms during transport outside
of controlled areas shall be either NSA approved or FIPS 140-2 compliant.
10.11.6 MP-6 – Media Sanitization (+ Classified)

See the DAA PM, MP-6, for additional sanitization requirements for specific types of media.
The organization:
Sanitizes all digital and non-digital media prior to Click here to enter text.
disposal, release out of organizational control or release
for reuse IAW NSA/CSS PM 9-12 in accordance with
applicable federal and organizational standards and
policies
Employ sanitization mechanisms with the strength and Click here to enter text.
integrity commensurate with the security category or
classification of the information.
10.11.6.1 MP-6(1) – Media Sanitization: Review/Approve/Track/Document/Verify (+ Classified)
115
Implemented Planned
The organization reviews, approves, tracks, documents and verifies media sanitization and disposal actions.
10.11.6.2 MP-6(2) – Media Sanitization: Equipment Testing (+ Classified Overlay)

Implemented Planned
The organization tests sanitization equipment and procedures at least annually to verify that the intended sanitization is
being achieved.
10.11.6.3 MP-6(3) – Media Sanitization: Non-Destructive Techniques (+ Classified Overlay)

Implemented Planned
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices
to the IS. The use of nondestructive sanitization techniques (e.g., not destroying the hard drive) are for initial sanitization of
media prior to first use and not when the contents of the digital media require retention.
116
10.11.6.4 MP-6(4) – Media Sanitization: Controlled Unclassified Information WITHDRAWN Incorporated Into MP-6
10.11.6.5 MP-6(5) – Media Sanitization: Classified Information WITHDRAWN Incorporated Into MP-6
10.11.6.6 MP-6(6) – Media Sanitization: Media Destruction WITHDRAWN Incorporated Into MP-6
10.11.7 MP-7 – Media Use (+ Classified Overlay) – NEW BASELINE

Implemented Planned
Using technical safeguards, the organization prohibits the use of certain types of media on IS; e.g., restricting the use of flash
drives or external hard disk drives without the express authorization of the AO.
Media Reuse. Certain types of electronic media that have been previously classified under one program may be reused by
another program of the same classification level or higher (e.g., S//ABC hard disk is transferred to S//XYZ, or S//ABC hard
disk is transferred to TS//LMNO). The individual types of media required for reuse must have specific procedures
documented and approved by the system AO. Best practices for wiping magnetic media or SSD for reuse include: 1. One
time overwrite utilizing a known pattern and an AO approved product, and then verifying that the overwrite was successful
utilizing a hex editor tool from the first to last sector; or 2. Encrypt the whole media with an AO approved whole disk
encryption (WDE) tool and then destroy the key. For any media type the spirit of the procedures must ensure any labels or
evidence of the previous program has been removed prior to handoff to the gaining ISSM or Security Officer.
Least Privilege [AC-6] and Separation of Duties [AC-5] are related controls and should be enforced to the maximum extent
possible to prevent unauthorized removal of information from the system.
10.11.7.1 MP-7(1) – Media Use: Prohibit Use without Owner – NEW BASELINE
Implemented Planned
The organization prohibits the use of portable storage devices in organizational information systems when such devices
have no identifiable owner.
117

10.11.8 MP-8 – Media Downgrading (+ Classified Overlay) – NEW

The organization:
Establishes a media downgrading process that includes Click here to enter text.
employing downgrading mechanisms based on the
classification of the media
Ensures that the IS media downgrading process is Click here to enter text.
commensurate with the security category and/or
classification level of the information to be removed and
the access authorizations of the potential recipients of
the downgraded information
Identifies the IS media requiring downgrading Click here to enter text.
Downgrades the identified IS media using the Click here to enter text.
established process
10.11.8.1 MP-8(1) – Media Downgrading: Documentation of Process (+ Classified Overlay) – NEW

Implemented Planned
The organization prohibits the use of portable storage devices in organizational information systems when such devices
have no identifiable owner.
118
10.11.8.2 MP-8(2) – Media Downgrading: Equipment Testing (+ Classified Overlay) – NEW

Implemented Planned
The organization employs appropriate tests of downgrading equipment and procedures to verify correct performance at
least annually.
10.11.8.3 MP-8(4) – Media Downgrading: Classified Information (+ Classified Overlay) – NEW

Implemented Planned
The organization downgrades IS media containing classified information prior to release to individuals without required
access authorizations in accordance with NSA standards and policies. This control may only need to be addressed if a
system downgrade or tech transfer is required, e.g., based on an authorized administrative information downgrade
(classification/program levels) by an Original Classification Authority (OCA).
119
PHYSICAL AND ENVIRONMENT PROTECTION (PE)

10.12.1 PE-1 – Physical and Environmental Protection Policy and Procedures
10.12.2 PE-2 – Physical Access Authorizations
Implemented Planned
This control applies to organizational employees and visitors. Individuals (e.g., employees, contractors, and others) with
permanent physical access authorization credentials are not considered visitors. This control only applies to areas within
facilities that have not been designated as publicly accessible. Ensure Support Systems are controlled within and managed
by cleared individuals. Support Systems include card/badge creation systems, card reader systems, alarm systems, and
music sound cover systems. These systems may be addressed in the Fixed Facility Checklist (FFC) or Facility SOP.
The organization:
Develops, approves, and maintains a list of individuals Click here to enter text.
with authorized access to the facility where the
information system resides
Issues authorization credentials for facility access Click here to enter text.
Reviews the access list detailing authorized facility Click here to enter text.
access by individuals [annually or as policy and
procedures dictate changes are required
Removes individuals from the facility access list when Click here to enter text.
access is no longer required
10.12.2.1 PE-2(3) – Physical Access Authorizations: Restrict Unescorted Access (+ Classified Overlay) – NEW
Implemented Planned
The organization restricts unescorted access to the facility where the information system resides to personnel with security
clearances and/or formal access approval as defined by the local security policy (i.e., Facility SOP).
120
10.12.3 PE-3 – Physical Access Control

Implemented Planned
The organization:
Enforces physical access authorizations by: Verifying Click here to enter text.
individual access authorizations before granting access
to the facility; and Controlling ingress/egress to the
facility;
Maintains physical access audit logs Click here to enter text.
Provides security safeguards to control access to areas Click here to enter text.
within the facility officially designated as publicly
accessible. Physical casings include for example, locking
computer racks to protect mission critical servers,
network routers, etc. As an alternative, these devices
may be secured in a room (e.g., a server room) with
access limited to privileged users.
Escorts visitors and monitors visitor activity Click here to enter text.
Secures keys, combinations, and other physical access Click here to enter text.
devices
Inventories physical access devices within as required Click here to enter text.
Changes combinations and keys when first installed or Click here to enter text.
used; if believed to have been subjected to compromise;
and when considered necessary by the cognizant
security authority (CSA) and/or when keys are lost,
combinations are compromised, or individuals are
transferred or terminated
10.12.3.1 PE-3(1) – Physical Access Control: Information System Access – NEW BASELINE
Implemented Planned
121

The organization enforces physical access authorizations to the information system in addition to the physical access
controls for the facility for those areas where there is a concentration of IS components (e.g., server rooms, media storage
areas, etc.)
10.12.3.2 PE-3(2) – Physical Access Control: Facility/Information System Boundaries (+ Classified Overlay)
Implemented Planned
The organization performs random security checks at the physical boundary of the facility or information system for
unauthorized exfiltration of information or removal of information system components.
10.12.3.3 PE-3(3) – Physical Access Control: Continuous Guards/Alarms/Monitoring (+ Classified Overlay)

Implemented Planned
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information
system resides 24 hours per day, 7 days per week.
122
10.12.4 PE-4 – Access Control for Transmission Medium (+ Classified Overlay) (- Standalone Overlay)
Implemented Planned
The organization controls physical access to information system distribution and transmission lines within organizational
facilities. Security safeguards include locked wiring closets, disconnected or locked spare jacks, and protection of cabling by
conduit or cable trays.
10.12.5 PE-5 – Access Control for Output Devices

.
Implemented Planned
The organization controls physical access to information system output devices to prevent unauthorized individuals from
obtaining the output. Output devices, such as printers and fax machines of differing security classifications, should not be
placed in close proximity to one another. Fax machines shall be kept in a separate area from printers, since they are both
input and output devices. If Foreign Nationals are, output devices of US-only systems must be under constant observation
by cleared US personnel.
See the DAA PM for additional information on the use of KVM Switches.
10.12.5.1 PE-5(3) – Access Control for Output Devices: Marking Output Devices (+ Classified Overlay) – NEW
Implemented Planned
123

The organization marks all output devices in facilities containing information systems that store, process or transmit
classified information indicating the appropriate security marking of the information permitted to be output from the
device.
10.12.6 PE-6 – Monitoring Physical Access

Implemented Planned
The organization:
Monitors physical access to the facility where the Click here to enter text.
information system resides to detect and respond to
physical security incidents
Reviews physical access logs at least every 90 days or as Click here to enter text.
required by the and upon occurrence of physical access
incidents
Coordinates results of reviews and investigations with the Click here to enter text.
organizational incident response capability
10.12.6.1 PE-6(1) – Monitoring Physical Access: Intrusion Alarms/Surveillance Equipment – NEW BASELINE
Implemented Planned
The organization monitors physical intrusion alarms and surveillance equipment.
124
10.12.7 PE-7 – Visitor Control includes PE-7(1) – Visitor Control: Visitor Escort and PE-7(2) – Visitor Control: Visitor Identification
– WITHDRAWN Incorporated into PE-2 and PE-3
10.12.8 PE-8 – Access Records

Implemented Planned
The organization:
Maintains visitor access records to the facility where the Click here to enter text.
information system resides for the period required by
NISPOM (at least 2 years).
Reviews visitor access records at least every 90 days. Click here to enter text.
10.12.9 PE-12 – Emergency Lighting

Implemented Planned
The organization employs and maintains automatic emergency lighting for the IS that activates in the event of a power
outage or disruption and that covers emergency exits and evacuation routes within the facility.
10.12.10 PE-13 – Fire Protection

Implemented Planned
125

The organization employs and maintains fire suppression and detection devices/systems for the IS that are supported by an
independent energy source. As described in DoDM 5205.07-V3 fire detection systems shall not be tied into the facility’s IDS.
The fire suppression and detection devices/systems, with the exception of tactical environments, shall activate
automatically and notify the organization and emergency responders in the event of a fire. Automatic fire suppression
capability is required when the facility is not staffed on a continuous basis. Additionally, organizations shall ensure the
facility undergoes, in accordance with local regulations, fire marshal inspections and promptly resolves identified
deficiencies.
10.12.11 PE-14 – Temperature and Humidity Controls

Implemented Planned
Organizations shall maintain temperature and humidity levels within the facility where the information systems reside at
acceptable levels, as defined by the organization, and shall continuously monitor these levels. In addition, organizations
shall ensure that temperature and humidity controls with remote maintenance and testing (RMAT) capability are properly
configured for use by disabling automatic or remote connection capability. When remote connection capability is required
for central management of the HVAC system, it shall be identified on the FFC and approved by the CSA.
10.12.12 PE-15 – Water Damage Protection

Implemented Planned
The organization protects the information system from damage resulting from water leakage by providing master shutoff r
126

isolation valves that are accessible, working properly, and known to key personnel. This control applies primarily to facilities
containing concentrations of IS resources; for example, server rooms, data centers, etc.
10.12.13 PE-16 – Delivery and Removal

Implemented Planned
The organization authorizes, monitors, and controls all IS components entering and exiting the facility and maintains
records of those items.
10.12.14 PE-17 – Alternate Work Site
Implemented Planned
The organization employs management, operational and technical information system security controls at the alternate
work site equivalent to those applicable to the primary work site. These security controls shall be assessed as feasible to
determine the effectiveness of these controls. The alternate work site shall provide a means for employees to communicate
with information security personnel in case of security incidents or problems.
An alternate work site has not been established.
127
10.12.15 PE-19 – Information Leakage (+ Classified Overlay)

Implemented Planned
The organization protects the information system from information leakage due to electromagnetic signals emanations.
Information systems, peripherals, associated data communications, and networks (planned or installed) that may be used to
process national security or security-related information may need to meet certain national TEMPEST policies and
procedures. The objective is to minimize the risk of Foreign Intelligence Services (FIS) exploiting unintentional emanations
from intelligence systems. TEMPEST is a short name referring to investigations and studies of compromising emanations.
Please refere to CNSSI 7003.
10.12.15.1 PE-19(1) – Information Leakage: National Emissions/TEMPEST Policies and Procedures (+ Classified Overlay)
Implemented Planned
The organization ensures that IS component, associate data communications, and networks are protected in accordance
with national emissions and TEMPEST policies and procedures based on the security category or classification of the
information.
128
PLANNING (PL)
10.13.1 PL-1 – Security Planning Policy and Procedures
10.13.2 PL-2 – System Security Plan

Implemented Planned
System Security Plans (SSPs) shall be classified in accordance with the Program Security Classification Guide (SCG) and in
order to minimize OPSEC indicators.
The organization:
Develops a security plan for the IS that: Click here to enter text.
 Conforms to the SSP template as provided by the
ISSM
 Is consistent with the enterprise architecture.
 Explicitly defines the authorization boundary for the
system.
 Describes the operational context of the information
system in terms of missions and business processes.
 Describes the CONOPS for the information system
including, at a minimum, the purpose of the system
and a description of the system architecture.
 Provides the impact levels for Confidentiality,
Integrity and Availability of the information system
including supporting rationale.
 Describes the functional architecture for the
information system that identifies:
 External interfaces, the information being exchanged
across the interfaces, and the protection mechanisms
associated with each interface.
 User roles and the access privileges assigned to each
role.
 Unique security requirements.
 Types of information processed, stored, or
transmitted by the information system and any
specific protection needs in accordance with
applicable federal laws, EOs, directives, policies,
regulations, standards, and guidance (to include any
unique requirements of the Information
Owner/Steward).
 Restoration priority of information or information
system services.
 Describes the operational environment for the
information system.
129
 Describes relationships with or connections to other

information systems, include ISAs and ATCs, as
applicable.
 Identifies the security requirements for the
information system, as captured in the SCTM. See
Appendix C for guidance on SCTM creation.
 Identifies controls tailored in or tailored out by the
AO.
 Identifies any exceptions, which denotes a control or
part of a control that is not met and is an accepted
risk by the AO. Exceptions should also be captured
on the POA&M unless otherwise directed by the AO.
 Identifies the type of control (common, system
specific, or hybrid) and describes how the security
controls are implemented or planned to be
implemented including a rationale for any tailoring
and supplementation decisions
 Identifies the controls tailored out/in/modified as
approved by the DAO
 Identifies any exceptions; i.e., a control or part of a
control that is not or cannot be met and is an
accepted risk by the DAO. Exceptions shall also be
included in the POA&M.
 Approved by the DAO ICW the SCA prior to the plan
implementation
Distributes copies of the plan and communicates
subsequent changes to the plan to all required
stakeholders, to include the DAO
Reviews the security plan at least annually or when
required due to system changes or modifications
Updates the plan to address changes to the IS/operations

environment or problems identified during plan
implementation or security control assessments
Protects the security plan from unauthorized disclosure
and modification
10.13.2.1 PL-2(3) – System Security Plan: Coordinate with Organization Entities – NEW BASELINE
Implemented Planned
The organization plans and coordinates security-related activities affecting the IS with all relevant organizations or groups
130

before conducting such activities in order to reduce the impact on other organizational entities.
10.13.3 PL-4 – Rules of Behavior

Implemented Planned
Rules of Behavior are addressed as part of user security awareness and training. See Security Training [AT-3]. Signed
acknowledgement of the rules of behavior is covered via user access agreements. See User Agreements [PS-6]. The rules of
behavior are also referred to as the Acceptable Use Policy (AUP). See the DAA PM for a list of the minimum responsibilities
of a General User.
The organization:
Establishes and makes readily available to individuals Click here to enter text.
requiring access to the information system, the rules
that describe their responsibilities and expected
behavior with regard to information and information
system usage
Receives a signed acknowledgment from such Click here to enter text.
individuals, indicating that they have read, understand,
and agree to abide by the rules of behavior, before
authorizing access to information and the information
system
Reviews and updates the rules of behavior at least Click here to enter text.
annually
Requires individuals who have signed a previous version Click here to enter text.
of the rules of behavior to read and re-sign when the
rules of behavior are revised/updated
10.13.3.1 PL-4(1) – Rules of Behavior: Social Media and Networking Restrictions – NEW BASELINE
Implemented Planned
131

The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and
posting organizational information on public websites.
10.13.4 PL-5 – Privacy Impact Assessment – WITHDRAWN Incorporated into Appendix J, AR-2
10.13.5 PL-6 – Security-Related Activity Planning – WITHDRAWN Incorporated into PL-2
10.13.6 PL-8 – Information Security Architecture– NEW BASELINE

Implemented Planned
This control can be met through detailed descriptions in the SSP of the system overview, system environment, facility
diagram, network architecture, system diagram, and system connectivity.
The organization:
Develops an information security architecture for the IS Click here to enter text.
that: describes the overall philosophy, requirements,
and approach to be taken with regard to protecting the
confidentiality, integrity and availability of
organizational information; describes how the IS
architecture is integrated into and supports the
enterprise architecture; and describes any information
security assumptions about, and dependencies on,
external services
Reviews and updates the information security at least Click here to enter text.
annually or when changes to the IS or its environment
warrant to reflect updates in the enterprise architecture
Ensures that planned information security architecture Click here to enter text.
changes are reflected in the security plan, the security
Concept of Operations (CONOPS) (if appropriate), and
organizational procurements/acquisitions
Requires individuals who have signed a previous version Click here to enter text.
of the rules of behavior to read and re-sign when the
rules of behavior are revised/updated
132
10.13.6.1 PL-8(1) – Information Security Architecture: Defense in Depth – NEW BASELINE

Implemented Planned
The organization designs its security architecture using a defense in depth approach that allocates security safeguards
based on security impact to Program IS; and ensures that the allocated security safeguards operate in a coordinated and
mutually reinforcing manner.
10.13.6.2 PL-8(2) – Information Security Architecture: Supplier Diversity – NEW BASELINE

Implemented Planned
The organization requires that equipment and services to meet the security safeguards based on security impact to
Program IS and its operational environment are obtained from different suppliers.
133
PERSONNEL SECURITY (PS)

10.14.1 PS-1 – Personnel Security Policy and Procedures
10.14.2 PS-2 – Position Categorization

Implemented Planned
Access to individual Programs will be managed IAW NISPOM). Positions will be reviewed annually or as policy and
procedures dictate changes are required.
10.14.3 PS-3 – Personnel Screening
Implemented Planned
Organizations shall ensure that every user accessing an IS processing, storing, or transmitting types of classified information
which require formal indoctrination, is formally indoctrinated for all information for which the user is authorized access.
The organization:
Screens individuals prior to authorizing access to the Click here to enter text.
information system
Rescreens individuals according to personnel security Click here to enter text.

guidelines defined
10.14.3.1 PS-3(1) – Personnel Screening: Classified Information (+ Classified Overlay)

134
Implemented Planned
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of
classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of
information to which they have access on the system. Reference DoDM 5205.07-V2.
10.14.3.2 PS-3(3) – Personnel Screening: Information With Special Protection Measures (+ Privacy Overlay) – NEW
Implemented Planned
The organization ensures that individuals accessing an IS processing, storing or transmitting information requirement special
protection: (a) have valid access authorizations that are demonstrated by assigned official government duties; and (b) satisfy
any organizationally-required background screenings.
10.14.4 PS-4 – Personnel Termination (+ Classified)

Implemented Planned
When any system user (to include privileged and non-privileged users) leaves the organization due to employment
termination (whether voluntary of involuntary) or retirement, the responsible for user account management must ensure all
system accesses are removed. This includes notifying other organizations that may have granted system accesses (for
example, collateral systems access, database access managed by another agency or organization, etc.). Notification of an
employee’s termination is the responsibility of the organization. The organization must also ensure that information
135
deemed to be of value is retained before the departing user’s accounts are archived and removed. The property custodian
must retrieve any equipment issued to the departing individual, such as laptops or PEDs. The loss of security clearance or
formal access approval (through de-briefing, suspension or revocation) requires immediate deactivation of all accounts
associated with the individual.
The organization, upon termination of an individual:
Disables information system access within 24 hours Click here to enter text.
Terminates/revokes any authenticators/credentials Click here to enter text.
associated with the individual
Conducts exit interviews that include a discussion of any Click here to enter text.
prohibitions regarding the information obtained during
the employment
Retrieves all security-related organizational information Click here to enter text.
system-related property
Retains access to organizational information and Click here to enter text.
information systems formerly controlled by terminated
individual
Notifies the immediately upon termination Click here to enter text.
10.14.4.1 PS-4(1) – Personnel Termination: Post-Termination Requirements (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization (a) notified termination individuals of applicable, legally binding post-employment requirements for the
protection of organizational information; and (b) requires terminated individuals to sign an acknowledgment of post-
employment requirements as part of the organizational termination process.
10.14.5 PS-5 – Personnel Transfer

Implemented Planned
136
Notify other organizations that may have granted system accesses (for example, collateral systems access, database access
managed by another agency or organization) of the individual’s transfer or reassignment. Notification of an employee’s
transfer or reassignment shall be documented as the responsibility of the employee’s supervisor or Human Resources. The
property custodian must determine whether any equipment issued to the individual, such as laptops or PEDs, should be
retrieved or transferred to another property account. Reference AC-2 for additional requirements.
The organization, upon transfer of an individual:
Reviews and confirms any ongoing operational need for Click here to enter text.
current logical and physical access authorizations to
information systems/facilities when individuals are
reassigned or transferred to other positions within the
organization
Initiates reassignment actions to ensure all system Click here to enter text.
access no longer required (need to know) are removed
or disabled within 10 working days
Modifies access authorization as needed to correspond Click here to enter text.
with any changes in operational need due to
reassignment or transfer
Notifies the ISSM as soon as possible Click here to enter text.
10.14.6 PS-6 – Access Agreements

Implemented Planned
All users are required to read and sign a Standard Mandatory Notice and Consent provision for all IS, (i.e., General User
Access Agreement and Acknowledgement of Responsibilities) prior to being granted access to information systems. In
addition, privileged users are required to read and sign a Privileged User Access Agreement and acknowledgement of
Responsibilities prior to being granted elevated privileges to IS and applications. These agreements must be reviewed and
updated upon account creation, user transfer or user termination. Organizations may add additional requirements to the
agreement provided they do not conflict with the official verbiage. See Account Management [AC-2] for additional
information on user roles and responsibilities.
The User Access Agreement shall be retained by the ISSM for a minimum of two (2) years after access is removed.
Organizations shall ensure that access to any information with special protection measures is granted only to individuals
who:
• Have a valid access authorization that is demonstrated by assigned official government duties.
• Satisfy associated personnel security criteria consistent with applicable federal laws, EOs, directives, policies,
regulations, standards, and guidance.
• Have read, understand, and signed a nondisclosure agreement (if applicable).
Information with special protection measures includes, for example, privacy information, proprietary information, and
Sources and Methods Information (SAMI).
The organization:
137
Develops and documents access agreements for Click here to enter text.
organizational information systems
Reviews and updates access agreements at least Click here to enter text.
annually
Ensures that individuals requiring access to organization Click here to enter text.
information and IS: sign appropriate access agreements
prior to being granted access; re-sign access agreements
to maintain access to organization IS when access
agreements have been update or at least annually
10.14.6.1 PS-6(1) – Access Agreements: Information Requiring Special Protection – WITHDRAWN Incorporated into PS-3
10.14.6.2 PS-6(2) – Access Agreements: Classified Information Requiring Special Protection (+ Classified Overlay)
Implemented Planned
The organization ensures that access to classified information requiring special protection is granted only to individuals who
(a) have a valid access authorization that is demonstrated by assigned official government duties; (b) satisfy associated
personnel security criteria; and (c) have read, understood, and signed a nondisclosure agreement.
10.14.6.3 PS-6(3) – Access Agreements: Post-Employment Requirements (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization (a) notifies individuals of applicable, legally-binding post-employment requirements for protection of
organizational information; (b) requires individuals to sign an acknowledgment of these requirements, if applicable, as part
of granting initial access to covered information.
138
10.14.7 PS-7 – Third-Party Personnel Security

Implemented Planned
The term “third party” as it relates to personnel security and contracts is not frequently used in DoD. If a third-party
situation seems to apply, contact the AO and/or contracting representative for clarification and guidance. For ARMY: ensure
DSS contacted if appropriate.
The organization:
Establishes personnel security requirements including Click here to enter text.
security roles and responsibilities for third-party
providers
Requires third-party providers to comply with personnel Click here to enter text.
security policies and procedures established by the
organization
Documents personnel security requirements Click here to enter text.

Requires third-party providers to notify the organization Click here to enter text.
of any personnel transfers or terminations of third-party
personnel who possess organizational credentials and/or
badges, or who have information system privileges as
soon as possible, but not to exceed 1 working day
Monitors provider compliance Click here to enter text.
10.14.8 PS-8 - Personnel Sanctions

Implemented Planned
All instances where an individual fails to comply with established information security policies and procedures will be treated
as security incidents .
The organization:
139
Employs a formal sanctions process for individuals failing Click here to enter text.
to comply with established information security policies
and procedures
Notifies the appropriate organizations as soon as Click here to enter text.
possible when a formal employee sanctions process is
initiated, identifying the individual sanctioned and the
reason for the sanction
140
RISK ASSESSMENT (RA)

10.15.1 RA-1 – Risk Assessment Policy and Procedures
10.15.2 RA-2 – Security Categorization

Implemented Planned
The ISSM shall work with Program in determining the appropriate security categorization as part of the initial preparatory
actions prior to selecting and tailoring the security controls.
The organization:
Categorizes information and the information system in Click here to enter text.
accordance with applicable federal laws, Executive
Orders, and directives, policies, regulations, standards,
and guidance
Documents the security categorization results (including Click here to enter text.
supporting rationale) in the SSP for the information
system
Ensures that the security categorization decision is Click here to enter text.
reviewed by the SCA and approved by the AO/AO-
Representative
10.15.3 RA-3 – Risk Assessment
Implemented Planned
The Risk Assessment Report (RAR) is part of the required Body of Evidence (BoE) provided to the DAO as the basis of the
authorization to operate decision. The RAR should be initiated prior to or during Step 1, Security Categorization.
The organization:
Conducts an assessment of risk, including the likelihood Click here to enter text.
and magnitude of harm, from the unauthorized access,
use, disclosure, disruption, modification, or destruction
141
of the information system and the information it

processes, stores, or transmits
Documents risk assessment results in the Risk Click here to enter text.
Assessment Report (RAR)
Reviews risk assessment results at least annually Click here to enter text.
Disseminates risk assessment results to the SCA for Click here to enter text.
initial review and to the AO/AO-Representative for final
approval
Updates the risk assessment at least annually or Click here to enter text.
whenever there are significant changes to the
information system or environment of operation
(including the identification of new threats and
vulnerabilities), or other conditions that may impact the
security state of the system
10.15.4 RA-5 – Vulnerability Scanning

Implemented Planned
Information revealing specific vulnerabilities (other than the known vulnerabilities of widely available commercial products)
and the compiled results of vulnerability analyses for systems shall be classified in accordance with the Program SCG.
Organizations shall use vulnerability assessment tools, such as the SCAP Security Scanner (SCC) with current benchmarks.
The ISSM/ISSO shall analyze vulnerability scans to determine true vs. false positives. True vulnerabilities identified as part of
a scan shall be added to the POA&M.
The organization:
Scans for vulnerabilities in the information system and Click here to enter text.
hosted applications at least quarterly and when new
vulnerabilities potentially affecting the
system/applications are identified and reported
Employs vulnerability scanning tools and techniques that Click here to enter text.
facilitate interoperability among tools and automate
parts of the vulnerability management process by using
standards for: Enumerating platforms, software flaws,
and improper configurations; Formatting checklists and
test procedures; and Measuring vulnerability impact
Analyzes vulnerability scan reports and results from Click here to enter text.
security control assessments
Remediates legitimate vulnerabilities based on guidance Click here to enter text.
provided by the IAVM Program or AO in accordance with
an organizational assessment of risk
142

Shares information obtained from the vulnerability Click here to enter text.
scanning process and security control assessments with
the AO/AO-Representative and the SCA to help eliminate
similar vulnerabilities in other information systems (i.e.,
systemic weaknesses or deficiencies)
Updates the POA&M with true vulnerabilities identified Click here to enter text.
during scanning
10.15.4.1 RA-5(1) – Vulnerability Scanning: Update Tool Capability

Implemented Planned
The organization employs vulnerability scanning tools that include the capability to readily update the information system
vulnerabilities to be scanned.
10.15.4.2 RA-5(2) – Vulnerability Scanning: Update by Frequency/Prior to New Scan/When Identified

Implemented Planned
The organization updates the information system vulnerabilities scanned as new automated tool scripts are issued; within
30 days prior to running scans; prior to a new scan; when new vulnerabilities are identified and reported. This control
143
10.15.4.3 RA-5(4) – Vulnerability Scanning: Discoverable Information

Implemented Planned
The organization determines what information about the information system is discoverable by adversaries and
subsequently documents the information, determines potential risk, and takes corrective action to mitigate the
vulnerabilities.
10.15.4.4 RA-5(5) – Vulnerability Scanning: Privileged Access

Implemented Planned
Organizations shall provide privileged access authorization to all systems and infrastructure components for vulnerability
scanning activities to facilitate more thorough scanning.
10.15.4.5 RA-5(7) – Vulnerability Scanning: Automated Detection and Notification of Unauthorized Components – WITHDRAWN
Incorporated into CM-8
10.15.5 RA-6 – Technical Surveillance Countermeasures Survey (+ Classified Overlay) – NEW

Implemented Planned
144
The organization employs a technical surveillance countermeasures survey at their facilities as required.
145
SYSTEM AND SERVICES ACQUISITION

10.16.1 SA-1 – System and Services Acquisition Policy and Procedures
10.16.2 SA-2 – Allocation of Resources

Implemented Planned
As applicable, Statements of Work (SOW) will include a DD Form 254 and address contractor-related security issues
including, but not limited to:
 Personnel security.
 Physical security.
 Information systems in support of the contract.
 TEMPEST requirements.
 Applicable security regulations.
 Defense Federal Acquisition Regulation (DFAR) clause mandating personnel performing IA functions is certified
under DoDD 8570.01, Information Assurance (IA) Training, Certification, and Workforce Management, and DoD
8570.01-M.
A Government official, either the ISSE/IASAE or DAO/designee, will coordinate with the Program on these specific
requirements depending upon the particular acquisition.
The organization:
Determines information security requirements for the IS Click here to enter text.
or IS service in mission/business process planning
Determines, documents, and allocates the resources Click here to enter text.
required to protect the IS or IS service as part of its
capital planning and investment control process
Establish a discrete line item for information security in Click here to enter text.
organizational programming and budgeting
documentation
10.16.3 SA-3 – System Development Life Cycle

Implemented Planned
146

The organization:
Manages information systems using an SDLC Click here to enter text.

methodology that incorporates information security
considerations
Defines and documents information security roles and Click here to enter text.
responsibilities throughout the SDLC
Identify individuals having information security roles and Click here to enter text.
responsibilities
Integrate the organizational information security risk Click here to enter text.
management process into system development life cycle
activities
10.16.4 SA-4 – Acquisition Process

Implemented Planned
The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition
contracts for the IS, system component, or IS service in accordance with applicable federal laws, Executive Orders,
directives, policies, regulations, standards, guidelines, and organizational business/mission needs: a. Security functional
requirements; b. Security strength requirements; c. Security assurance requirements; d. Security-related documentation
requirements; e. Requirements for protecting security-related documentation; f. Description of the IS development
environment and environment in which the system is intended to operate; and g. Acceptance criteria.
10.16.4.1 SA-4(1) – Acquisition Process: Functional Properties of Security Controls – NEW BASELINE
Implemented Planned
147

The organization requires the developer of the IS, system component, or the IS service to provide a description of the
functional properties of the security controls to be employed. The organization obtains, protects as required, and makes
available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the
security controls employed within information systems with sufficient detail to permit analysis and testing.
10.16.4.2 SA-4(2) – Acquisition Process: Design/Implementation Information for Security Controls (- Standalone Overlay) – NEW
BASELINE
Implemented Planned
The organization requires the developer of the IS, system component, or IS service to provide design and implementation
information for the security controls to be employed that includes: security-relevant external system interfaces; high level
design; source code or hardware schematics and other system or service specific implementation information at a sufficient
level of detail.
10.16.4.3 SA-4(6) – Acquisition Process: Use of Information Assurance Products (+ Classified Overlay)
Implemented Planned
The organization shall employ only GOTS or COTS IA and IA-enabled IT products that compose an NSA-approved solution to
protect classified information when the system(s)/networks used to process, store, and/or transmit the information are at a
lower classification level than the information being transmitted (i.e., tunneling) [SA-4(6) (a)], ensure that these products
have been evaluated and/or validated by NSA or in accordance with NSA-approved procedures.
148
10.16.4.4 SA-4(7) – Acquisition Process: NIAP Approved Protection Profiles – NEW BASELINE
Implemented Planned

The organization (a) limits the use of commercially provided IA and IA-enabled IT products to those products that have been
successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a
specific technology type, if such a profile exists; (b) Requires, if no NIAP-approved Protection Profile exists for a specific
technology type but a commercially provided IT products relies on cryptographic functionality to enforce its security policy,
that the cryptographic module is FIPS-validated.
10.16.4.5 SA-4(9) – Acquisition Process: Functions/Ports/Protocols/Services in Use – NEW BASELINE

Implemented Planned
The organization requires the developer of the IS, system component, or IS service to identify early in the SDLC, the
functions, ports, protocols, and services intended for organizational use. This allows the organization the opportunity to
influence the design of the IS, IS component or IS service to prevent unnecessary risks.
10.16.4.6 SA-4(10) – Acquisition Process: Use of Approved PIV Products (- Standalone Overlay) – NEW BASELINE
Implemented Planned
149

The organization employs only IT products on the FIPS 201-approved products list for Personally Identify Verification (PIV)
(aka CAC) capability implemented within organization information systems.
10.16.5 SA-5 – Information System Documentation

Implemented Planned
The organization:
Obtain administrator documentation for the IS, IS Click here to enter text.
component, or IS service that describes: (1) Secure
configuration, installation, and operation of the
information system; (2) Effective use and maintenance
of security features/functions; and (3) Known
vulnerabilities regarding configuration and use of
administrative (i.e., privileged) functions.
Obtain user documentation for he IS, IS component, or Click here to enter text.
IS service that describes: (1) User-accessible security
features/functions and how to effectively use those
security features/functions; (2) Methods for user
interaction with the information system, which enables
individuals to use the system in a more secure manner
(e.g. training materials, user guides, Standard Operating
Procedures); (3) User responsibilities in maintaining the
security of the information and information system
Document attempts to obtain IS, IS component, or IS Click here to enter text.
service documentation when such documentation is
either unavailable or nonexistent
Protects documentation as required, in accordance with Click here to enter text.

the risk management strategy
Distributes documentation to stakeholders Click here to enter text.
150
10.16.5.1 SA-5 (1) – Information System Documentation: Functional Properties of Security Controls – WITHDRAWN Incorporated
into SA-4(1)
10.16.5.2 SA-5(2) – Information System Documentation: Security Relevant External System Interfaces – WITHDRAWN
Incorporated into SA-4(2)
10.16.6 SA-6 - Software Usage Restrictions – WITHDRAWN Incorporated into CM-10 and SI-7
10.16.7 SA-7 – User-Installed Software – WITHDRAWN Incorporated into CM-11 and SI-7
10.16.8 SA-8 – Software Engineering Principles

Implemented Planned
Organizations shall apply information system security engineering principles in the specification, design, development,
implementation, and modification of information systems. Examples of security engineering principles include, but are not
limited to: Developing layered protections; Establishing sound security policy, architecture, and controls as the foundation
for design; Incorporating security into the SDLC; Delineating physical and logical security boundaries; Ensuring system
developers and integrators are trained on how to develop secure software; Tailoring security controls to meet
organizational and operational needs; Reducing risk to acceptable levels, thus enabling informed risk management
decisions .
10.16.9 SA-9 – External Information System Services (- Standalone and CRN Overlay)
Implemented Planned
External Information System services are service that are implemented outside of the authorization boundary of the
organizational information system (i.e., a service that is used by, but not a part of, the organizational information system).
Relationships with external service providers are established in a variety of ways, for example, through joint ventures,
business partnerships, outsourcing arrangements (i.e., contracts, interagency agreements, lines of business arrangements),
licensing agreements, and/or supply chain exchanges. The responsibility for adequately mitigating risks arising from the use
of External Information System services remains with the AO. When a sufficient level of trust cannot be established in the
external services and/or service providers, the organization shall employ compensating security controls or accept the
greater degree of risk.
The organization:
151

Require that providers of External Information System Click here to enter text.
services comply with organizational information security
requirements and employ appropriate security controls
in accordance with applicable federal laws, EOs,
directives, policies, regulations, standards, and guidance
Defines and documents government oversight and user Click here to enter text.
roles and responsibilities with regard to External
Information System services
Employs appropriate processes and/or technologies to Click here to enter text.
monitor security control compliance by external service
providers on an ongoing basis.
10.16.9.1 SA-9(1) – External Information System Services: Risk Assessment/Organizational Approvals (- Standalone Overlay)
Implemented Planned
The organization (a) conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated
information security services; and (b) Ensures the acquisition or outsourcing of dedicated information security services is
approved as defined at the system or program level. Organizations should ensure that individuals with the regulatory and
organizational authority to outsource services conduct full scope risk assessments and ensure that appropriate individuals
are involved in this decision. This approval line can be reserved for CIO, AO, or contracting officer as appropriate based on
an organization’s structure. Dedicated information security services include, for example, incident monitoring, analysis and
response, operation of information security-related devices such as firewalls, or key management services.
10.16.9.2 SA-9(2) – External Information System Services: Identification of Functions/Ports/Protocols/Services – NEW BASELINE
Implemented Planned
152

The organization requires providers of all external information systems and services to identify the functions, ports,
protocols, and other services required for the use of such services.
10.16.9.3 SA-9(5) – External Information System Services: Processing, Storage, and Service Location (+ Privacy Overlay) – NEW
Implemented Planned
The organization restricts the location of classified or sensitive information processing, information/data storage, or IS
services to locations approved for such processing and to appropriately cleared and access individuals.
10.16.10 SA-10 – Developer Configuration Management

Implemented Planned
This control also applies to organizations conducting internal information systems development and integration.
Maintaining the integrity of changes to the information system, information system component, or information system
service requires configuration control throughout the system development life cycle to track authorized changes and
prevent unauthorized changes. Configuration items that are placed under configuration management (if existence/use is
required by other security controls) include: the formal model; the functional, high-level, and low-level design specifications;
other design data; implementation documentation; source code and hardware schematics; the running version of the object
code; tools for comparing new versions of security-relevant hardware descriptions and software/firmware source code with
previous versions; and test fixtures and documentation.
The organization shall require that IS developers/integrators of the IS, system component of IS service to:
Perform configuration management during IS, system Click here to enter text.
component of IS service design development,
implementation and operation
Document, manage, and control the integrity of changes Click here to enter text.
to IS, system component of IS services
153

Implement only organization-approved changes to the Click here to enter text.
IS, system component of IS service
Document approved changes to the IS, system Click here to enter text.
component of IS service and the potential security
impacts of such changes
Track security flaws and flaw resolution within the IS, Click here to enter text.
system component of IS service and report findings to
the ISSM/ISSO
10.16.10.1 SA-10(1) – Developer Configuration Management: Software/Firmware Integrity Verification

Implemented Planned
The organization requires the developer of the IS, system component, or IS service to enable integrity verification of
software and firmware components.
10.16.11 SA-11 – Developer Security Testing and Evaluation

Implemented Planned
Security testing and evaluation will be conducted in consultation with security personnel (e.g., ISSM/ISSO). An objective of
the flaw remediation process is to correct weaknesses and deficiencies identified during the security testing and evaluation
process.
The organization requires the developer of the IS, system component, or information system service to:
Create and implement a security assessment plan Click here to enter text.
Perform the appropriate type of testing/evaluation (e.g., Click here to enter text.
unit, integration, system, regression)
154

Produce evidence of the execution of the security Click here to enter text.
assessment plan and the results of the security
testing/evaluation
Implement a verifiable flaw remediation process Click here to enter text.
Document the results of the security testing/evaluation Click here to enter text.
and flaw remediation processes
10.16.12 SA-12 – Supply Chain Protection

Implemented Planned
Organizations shall conduct a due diligence review of suppliers prior to entering into contractual agreements to acquire
information system hardware, software, firmware, or services, including a review of supplier claims with regard to the use of
appropriate security processes in the development and manufacture of IS components or products.
Organizations protects against supply chain threats to the IS, system component, or IS service by employing security
safeguards in accordance with CNSSD No. 505, Supply Chain Risk Management as part of a comprehensive, defense-in-
breadth information security strategy.
10.16.13 SA-15 – Development Process, Standards and Tools – NEW BASELINE

Implemented Planned
The organization::
Requires the developer if the IS, system component, or Click here to enter text.
IS service to follow a documented process that: (1)
explicitly addresses security requirements; (2) identifies
the standards and tools used in the development
process; (3) documents the specific tool options and tool
configuration used in the development process; and (4)
155

documents, manages, and ensures the integrity of
changes to the process and/or tools used in the
development
Reviews the development process, standards, tools, and Click here to enter text.
tool options/configurations regularly but no less than
annually to determine if the process, standards, tools,
and tool options/configurations selected and employed
can satisfy organizational security requirements
10.16.13.1 SA-15(9) – Development Process, Standards and Tools: Use of Live Data (+ Classified Overlay) – NEW BASELINE
Implemented Planned
The organization approves, documents, and controls the use of live data in development and test environments for the IS,
system component, or IS service.
10.16.14 SA-17 – Developer Security Architecture and Design– NEW

Implemented Planned
The organization requires the developer of the IS, system component, or IS service to produce a design specification and
security architecture that:
Is consistent with and supportive of the organization’s Click here to enter text.
security architecture which is established within and is
an integrated part of the organization’s enterprise
architecture
Accurately and completely describes the required Click here to enter text.
security functionality, and the allocation of security
controls among physical and logical components
156

Expresses how individual security functions, Click here to enter text.
mechanisms, and services work together to provide
required security capabilities and a unified approach to
protection
10.16.15 SA-19 – Component Authenticity – NEW BASELINE

Implemented Planned
The organization::
Develops and implements anti-counterfeit policy and Click here to enter text.
procedures that include the means to detect and
prevent counterfeit components from entering the IS
Reports counterfeit IS components to ASPD and the Click here to enter text.
CIO/G-6 in accordance with AR 380-381
157
SYSTEMS AND COMMUNICATIONS PROTECTION (SC)

10.17.1 SC-1 – Systems and Communications Protection Policy and Procedures
10.17.2 SC-2 – Application Partitioning (+ Classified Overlay) (- Standalone)

Implemented Planned
Application partitioning is separating an application physically or logically into components that run on multiple servers.
This provides additional security by separating specific IS management from general user functionality, as well as load
balancing across the enterprise.
The IS separates user functionality (including user interface services) from information system management functionality.
10.17.3 SC-3 – Security Function Isolation (+ Classified Overlay) – NEW

Implemented Planned
The IS isolates security function from non-security functions. The information system isolates security functions from non-
security functions by means of an isolation boundary (implemented via partitions and domains). Information systems
restrict access to security functions through the use of access control mechanisms and by implementing least privilege
capabilities.
10.17.4 SC-4 – Information in Shared Resources (-Standalone Overlay)

158

Implemented Planned
This prevents information, including encrypted representations of information, produced by the actions of prior users/roles
(or the actions of processes acting on behalf of prior users/roles) from being available to any current users/roles (or current
processes) that obtain access to shared system resources (e.g., registers, main memory, hard disks) after those resources
have been released back to information systems. The control of information in shared resources is also commonly referred
to as object reuse and residual information protection.
The IS prevents unauthorized and unintended information transfer via shared system resources.
10.17.5 SC-5 – Denial of Service Protection (- Standalone and CRN Overlay)

After a relevance determination, this control can be tailored out for standalone IS and CRNs.
Implemented Planned
A variety of technologies exist to limit, or in some cases, eliminate the effects of denial of service attacks. For example,
boundary protection devices can filter certain types of packets to protect information system components on internal
organizational networks from being directly affected by denial of service attacks. Employing increased capacity and
bandwidth combined with service redundancy may also reduce the susceptibility to denial of service attacks.
The IS protects against or limits the effects of denial of service attacks.
10.17.6 SC-5(1) – Denial of Service Protection: Restrict Internal Users (- Standalone and CRN Overlay)
After a relevance determination, this control can be tailored out for standalone IS and CRNs
Implemented Planned
159

Protection against individuals having the ability to launch denial of service attacks may be implemented on specific
information systems or on boundary devices prohibiting egress to potential target systems.
The IS restricts the ability of individuals to launch denial of service attacks against other IS.
10.17.7 SC-7 – Boundary Protection (- Standalone and CRN Overlay)

Implemented Planned
This requirement also applies to ports, protocols, and services. Information systems, in conjunction with the environment in
which they are installed, shall: • Provide for remote access only for an authorized, specific purpose (for example, to provide
email access for a guest agency’s employee via a VPN). The remote connection must be restricted to approved purposes.
Authorized remote access shall not enable the user to communicate as an extension of the IS or to communicate with local
resources such as a printer or file server unless explicitly authorized by the AO. • Route specific internal communications
traffic through authenticated proxy servers within the managed interfaces of boundary protection devices, (e.g., as defined
in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA STIGs), to external networks (i.e., networks
outside the control of the organization). The list of traffic to be routed through managed interfaces may be augmented with
service/agency or site-specific requirements and approved by the AO or designee. • Use private/non-publicly routable IP
addresses for isolated LANs. • Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g.,
notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This
typically applies when your internal network has classification or access levels that differ.
Monitors and controls communications at the external Click here to enter text.
boundary of the system and at key internal boundaries
within the system
Implements subnetworks for publicly accessible system Click here to enter text.
components that are physically and logically separated
from internal organizational networks
Connects to external networks or information systems Click here to enter text.
only through managed interfaces consisting of boundary
protection devices arranged in accordance with
organizational security architecture
10.17.7.1 SC-7(3) – Boundary Protection: Access Points (- Standalone and CRN Overlay)
160

Implemented Planned
The organization:
Limits the number of external network connections to the information system and prevents public access into the
organization’s internal networks except as allowed by managed interfaces employing boundary protection devices. This
control generally applies when the system is connected to unclassified system.
Physically allocate publicly accessible information system components to separate sub-networks with separate physical
network interfaces. Publicly accessible information system components include, for example, public web servers.
Limits the number of access points to information systems under their purview to allow for more comprehensive monitoring
of inbound and outbound communications and network traffic.
10.17.7.2 SC-7(4) – Boundary Protection: External Telecommunications Services (- Standalone and CRN Overlay)
Implemented Planned
The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic
flow policy for each managed interface; (c) Protects the confidentiality and integrity of information being transmitted across
each interface; (d) Documents exceptions to the traffic flow policy with a supporting mission/business need and the
duration of that need in the SSP; (e) Reviews exceptions to the traffic flow policy at least annually; Eliminates traffic flow
policy exceptions that are no longer required by an explicit mission/business need; and update the SSP accordingly.
10.17.7.3 SC-7(5) – Boundary Protection: Deny by Default/Allow by Exception (- Standalone and CRN Overlay)
Implemented Planned
161

The organization at managed interfaces denies network traffic by default and allows network communications traffic by
exception (i.e., deny all, permit by exception). This requirement applies to ports, protocols, and services.
10.17.7.4 SC-7(7) – Boundary Protection: Prevent Split Tunneling for Remote Devices (- Standalone and CRN Overlay)
Implemented Planned
The IS, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections
with the system and communicating via some other connection to resources in external networks. The use of VPNs for
remote connections, when adequately provisioned with appropriate security controls, may provide the organization with
sufficient assurance that it can effectively treat such connections as non-remote connections from the confidentiality and
integrity perspective. VPNs thus provide a means for allowing non-remote communications paths from remote devices. The
use of an adequately provisioned VPN does not eliminate the need for preventing split tunneling.
10.17.7.5 SC-7(8) – Boundary Protection: Route Traffic to Authenticated Proxy Servers (- Standalone and CRN Overlay)
Implemented Planned
The IS routes specific internal communications traffic through authenticated proxy servers within the managed interfaces of
boundary protection devices, (e.g. as defined in DoDI 8551.1, Ports, Protocols, and Services Management (PPSM), and DISA
STIGs), to external networks (i.e., networks outside the control of the organization). The list of traffic to be routed through
162
managed interfaces may be augmented with Service or site-specific requirements and approved by the DAO or designee.
10.17.7.6 SC-7(9) – Boundary Protection: Restrict Threatening Outgoing Communications Traffic (- Standalone and CRN Overlay) –
NEW BASELINE
Implemented Planned
The IS (a) detects and denies outgoing communications traffic posing a threat to external IS; and (b) audits the identity of
internal users associated with denied communications. This is sometimes termed extrusion detection and includes traffic
indicative of denial of service attacks and traffic containing malicious code.
10.17.7.7 SC-7(10) – Boundary Protection: Prevent Unauthorized Exfiltration (- Standalone and CRN Overlay)
This control is required for IS that process, store or transmit SCI.
Implemented Planned
The organization prevents the unauthorized exfiltration of information across managed interfaces.
10.17.7.8 SC-7(11) – Boundary Protection: Restrict Incoming Communications Traffic (- Standalone and CRN Overlay)
163

Implemented Planned
The IS only allows incoming traffic from authorized sources routed to an authorized destination.
10.17.7.9 SC-7(12) – Boundary Protection: Host-Based Protection (- Standalone and CRN Overlay)
Implemented Planned
The organization implements host-based boundary protection mechanisms (e.g., a host-based firewall) for servers,
workstations, and mobile devices. Host-based boundary protection mechanisms shall be employed on mobile devices, (e.g.,
notebook/laptop computers and other types of mobile devices) where boundary protection mechanisms are available. This
typically applies when the internal network has classification or access levels that differ.
10.17.7.10 SC-7(13) – Boundary Protection: Isolation of Security Tools/Mechanisms/Support Components (- Standalone and CRN
Overlay)
Implemented Planned
The organization isolates, at a minimum, vulnerability scanning tools, audit log servers, patch servers, and CND tools from
164

other internal information system components via physically separate subnets with managed interfaces to other system or
network components.
10.17.7.11 SC-7(14) – Boundary Protection: Protects Against Unauthorized Physical Connections (- Standalone Overlay)
Implemented Planned
The organization protects against unauthorized physical connections at any managed interface that crosses security
domains or connects to an external network; such as, but not limited to cross domain solutions, a network boundary with a
WAN, a partner network, or the Internet.
10.17.7.12 SC-7(17) – Boundary Protection: Automated Enforcement of Protocol Formats

Implemented Planned
The IS enforces adherence to protocol formats. Information system components that enforce protocol formats include, for
example, deep packet inspection firewalls and XML gateways. Such system components verify adherence to protocol
formats/specifications (e.g., IEEE) at the application layer and identify significant vulnerabilities that cannot be detected by
devices operating at the network or transport layers.
165
10.17.8 SC-8 – Transmission Confidentiality and Integrity (+ Classified)

Implemented Planned
The IS protects the confidentiality and integrity of transmitted information. This control applies to both internal and
external networks and all types of information system components from which information can be transmitted (e.g.,
servers, mobile devices, notebook computers, printers, copiers, scanners, facsimile machines). When more than one
computer network exists, a color coding scheme shall be developed to assist in the proper handling of classified information.
Color coding of cables may be met by any of the following:
• Purchasing/making cables with the proper color.
• Placing colored tape every five feet along the cable length.
• Wrapping tape around the length of the cable run.
When networks are present other than those listed above, a different color must be selected for the network cables to assist
in minimizing the risk to classified IS.
10.17.8.1 SC-8(1) – Transmission Confidentiality and Integrity: Cryptographic or Alternate Physical Protection (+ Classified ) – NEW
BASELINE

Implemented Planned
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of, and detect changes
to, information during transmission unless otherwise protected by alternative physical safeguards such as keeping
transmission within physical areas rated IAW the sensitivity of the information or within a Protected Distribution System
(PDS) when traversing areas not approved for the sensitivity of the information. This applies to sensitive unclassified
information, such as PII, as well as classified information.
166
10.17.8.2 SC-8(2) – Transmission Confidentiality and Integrity: Pre/Post Transmission Handling (+ Classified Overlay) (- Standalone
Implemented Planned
The IS maintains the confidentiality and integrity of information during preparation for transmission and during reception.
10.17.8.3 SC-8(3) – Transmission Confidentiality and Integrity: Cryptographic Protection for Message Externals (+ Classified
Overlay) – NEW
Implemented Planned
The IS implements cryptographic mechanisms to protect message externals unless otherwise protected by alternative
physical or logical safeguards. Message externals include, for example, message headers/routing information.
10.17.8.4 SC-8(4) – Transmission Confidentiality and Integrity: Conceal/Randomize Communications (+ Classified Overlay) – NEW
Implemented Planned
The IS implements cryptographic mechanisms to conceal or randomize communications patterns unless otherwise protected
by alternative physical or logical safeguards. Communication patterns include, for example, frequency, periods, amount,
and predictability. Changes to communications patterns can reveal information having intelligence value especially when
167

combined with other available information related to missions/business functions supported by organizational information
systems.
10.17.9 SC-10 – Network Disconnect (- Standalone & CRN Overlay)

Implemented Planned
The IS terminates the network connection associated with a communications session at the end of the session or after no
more than one (1) hour of inactivity.
10.17.10 SC-12 – Cryptographic Key Establishment and Management

.
Implemented Planned
The organization establishes and manages cryptographic keys for required cryptography employed within the IS in
accordance with NSA-approved key management technology and processes.
168
10.17.10.1 SC-12(2) – Cryptographic Key Establishment and Management/Symmetric Keys (+ Classified Overlay) – NEW
Implemented Planned
The organization produces, controls, and distributes symmetric keys using NSA-approved key management technology and
processes.
10.17.10.2 SC-12(3) – Cryptographic Key Establishment and Management/Asymmetric Keys (+ Classified Overlay) – NEW
Implemented Planned
The organization produces, controls, and distributes asymmetric keys using NSA-approved key management technology
and processes.
10.17.11 SC-13 – Cryptographic Protection (+ Classified)
Implemented Planned
The IS implements using NSA-approved cryptography for protecting classified information from access by personnel who
lack the necessary security clearance in accordance with applicable Federal laws, Executive Orders, directives, policies,
regulations, and standards. To protect classified information organizations shall employ NSA-approved cryptography.
169

Cryptography shall also be used to protect information that must be separated from individuals who have the necessary
clearances, but lack the necessary access approvals.
10.17.11.1 SC-13(3) – Cryptographic Protection: Individuals without Formal Access Approvals – WITHDRAWN Incorporated into SC-
13
10.17.12 SC-14 – Public Access Protections WITHDRAWN Incorporated into multiple controls
10.17.13 SC-15 – Collaborative Computing Devices (- Standalone & CRN Overlay)

Implemented Planned
Collaborative computing devices include, but are not limited to, VTC, VoIP telephones, VVoIP, networked white boards,
video cameras, and microphones. All collaborative computing devices must be approved by the AO. In addition, all
collaborative computing equipment, collateral, or unclassified information systems or networks must be approved by the
AO prior to introduction into the facility.
Additional requirements include:
 Camera lenses shall be covered with an opaque covering when the camera is not in use. No systems, documents,
or media of higher classification may be displayed or in view of the camera.
 Microphones must have a mute or hold capability (e.g., on/off switch) and should have a push to talk button
(implemented in hardware or software).
 While conducting a collaborative computing session, users shall take all reasonable measures to ensure that no
unintended information is made audible or visible via the collaborative computing device. Users shall advise all
personnel in the immediate area that the collaborative computing device will be operating and shall sanitize all
sensitive material/systems that may be in view of the collaborative computing device.
 Users shall not leave the collaborative computing device unattended while a session is in progress. Once the
collaborative session is completed, the user shall take explicit action to disconnect/terminate the collaborative
computing device.
 Desktop level collaborative computing devices may use external loud speakers/amplified sound only if they are
installed within a closed room with walls that meet the requirement of DoDM 5205.07-V3, otherwise a headset
must be used.
 Microphones must be used in such a way to ensure no unintended conversations are picked up and transmitted
outside the facility. This may be accomplished by using microphones in enclosed offices, or by ensuring no other
higher classified discussions occur in the area when the microphone is in use.
Prohibits remote activation of collaborative computing Click here to enter text.
devices with no exceptions
Provides an explicit indication of use to users physically Click here to enter text.
present at the devices
170
10.17.13.1 SC-15(2) – Collaborated Computing Devices: Blocking Inbound/Outbound Communications Traffic WITHDRAWN
Incorporated into SC-7
10.17.13.2 SC-15(3) – Collaborative Computing Devices: Disabling/Removal in Secure Work Areas (+ Classified Overlay) (-
Standalone & CRN Overlay) – NEW
Implemented Planned
The organization disables or removes collaborative computing devices from organizationally-identified IS or IS components
in specified secure work areas.
10.17.14 SC-17 – Public Key Infrastructure Certificates (- Standalone Overlay)

Implemented Planned
The organization issues public key certificates under the organizationally-defined certificate policy or obtains public key
certificates from an approved service provider. This requirement addresses certificates with visibility external to the
information system and certificates related to internal system operations.
171
10.17.15 SC-18 – Mobile Code

Implemented Planned
Mobile code is software obtained from remote systems outside the system authorization boundary, transferred across a
network, and then downloaded and executed on a local system (e.g., a computer with a web browser) without explicit
installation or execution by the recipient. ‘Transferred across a network’ includes transfers via media, aka sneakernet.
See the DAA PM security control SC-18 for additional definition of mobile code.
The organization:
Defines acceptable and unacceptable mobile code and Click here to enter text.
mobile code technologies
Establishes usage restrictions and implementation Click here to enter text.

guidance for acceptable mobile code and mobile code
technologies
Authorizes, monitors, and controls the use of mobile Click here to enter text.
code within the information system
10.17.15.1 SC-18(1) – Mobile Code: Identify Unacceptable Code/Take Corrective Actions

Implemented Planned
The IS identifies unacceptable mobile code and takes corrective action. Corrective actions when unauthorized mobile code
is detected include, for example, blocking, quarantine, or alerting the SA. Disallowed transfers include, for example, sending
word processing files with embedded macros.
10.17.15.2 SC-18(2) – Mobile Code: Acquisition/Development/Use

Implemented Planned
172

The organization ensures that the acquisition, development and use of mobile code to be deployed in the information
system meets mobile code requirements, usage restrictions, and implementation guidance for acceptable mobile code and
mobile code technologies as follows:
 Category 1 mobile code shall be signed by a trusted Certificate Authority. Use of unsigned Category 1 mobile code
is prohibited. Use of Category 1 mobile code technologies that cannot block or disable unsigned mobile code (e.g.,
Windows Scripting Host) is prohibited.
 Category 2 mobile code which executes in a constrained environment without access to system resources (e.g.,
Windows registry, file system, system parameters, and network connections to other than the originating host)
may be used. Category 2 mobile code which does not execute in a constrained environment may be used when
obtained from a trusted source over an assured channel (e.g., JWICS, SIPRNet, SSL connection, S/MIME) or when
signed with an approved code signing certificate.
 Category 3 mobile code may be used.
10.17.15.3 SC-18(3) – Mobile Code: Prevent Downloading/Execution

Implemented Planned
The IS prevents the download and execution of prohibited mobile code.
10.17.15.4 SC-18(4) – Mobile Code: Prevent Automatic Execution

Implemented Planned
The IS prevents the automatic execution of prohibited mobile code prior to executing the code.
173

10.17.16 SC-19 – Voice over Internet Protocol (VoIP) (- Standalone & CRN Overlay)
Implemented Planned
Organizations shall ensure VoIP technologies are implemented with DAO and approval. The organization shall further
ensure:
VoIP telephone instruments shall have a “Consent to Monitor” label (e.g. DD
Form 2056) or banner and an appropriate classification label or banner. VoIP
telephone instruments must be used in such a way to ensure no unintended
conversations are picked up and transmitted outside the facility. This may
include use in an enclosed office, or ensuring no other higher classified
discussions occur in the area when the VoIP telephone is in use.
The organization:
Establishes usage restrictions and implementation Click here to enter text.
guidance for VoIP technologies based on the potential to
cause damage to the IS if used maliciously
Authorizes, monitors and controls the use of VoIP within Click here to enter text.
the IS.
10.17.17 SC-20 – Secure Name/Address Resolution Service (Authoritative Source) (- Standalone & CRN Overlay)
Implemented Planned
A Domain Name System (DNS) server is an example of an information system that provides name/address resolution
service.
174

Provides additional data origin and integrity artifacts Click here to enter text.
along with the authoritative name resolution data the
system returns in response to external name/address
resolution queries
Provides the means to indicate the security status of Click here to enter text.
child zones and (if the child supports secure resolution
services) to enable verification of a chain of trust among
parent and child domains, when operating as part of a
distributed, hierarchical namespace
10.17.17.1 SC-20(1) – Secure Name/Address Resolution Service (Authoritative Source): Child Subspaces WITHDRAWN Incorporated
into SC-20
10.17.18 SC-21 – Secure Name/Address Resolution Service (Recursive or Caching Resolver) (- Standalone & CRN Overlay)
Implemented Planned
The information system requests and performs data origin authentication and data integrity verification on the
name/address resolution responses the system receives from authoritative sources.
10.17.19 SC-22 – Architecture and Provisioning for Name/Address Resolution Service (- Standalone & CRN Overlay)
Implemented Planned
The IS that collectively provide name/address resolution service for an organization shall be fault-tolerant and implement
internal/external role separation.
175
10.17.20 SC-23 – Session Authenticity (- Standalone Overlay)

Implemented Planned
The IS protects the authenticity of communications sessions. This control addresses communications protection at the
session, versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes
grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of
information transmitted. Authenticity protection includes, for example, protecting against man-in-the-middle
attacks/session hijacking and the insertion of false information into sessions.
10.17.20.1 SC-23(1) – Session Authenticity: Invalidate Session Identifiers at Logout (- Standalone Overlay)
Implemented Planned
The information system invalidates session identifiers upon user logout or other session termination.
10.17.20.2 SC-23(2) – Session Authenticity: User Initiated Logouts/Message Displays WITHDRAWN Incorporated into AC-12(1)
10.17.20.3 SC-23(3) – Session Authenticity: Unique Session Identifies with Randomization (- Standalone Overlay)
176
Implemented Planned
The information system generates a unique session identifier for each session and recognizes only session identifiers that
are system-generated.
10.17.20.4 SC-23(5) – Session Authenticity: Allowed Certificate Authorities (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The information system only allows the use of defined certificate authorities for verification of the establishment of
protected sessions.
10.17.21 SC-28 – Protection of Information at Rest

Implemented Planned
Information at rest refers to the state of information when it is located on a non-volatile device (e.g., hard drive, tapes)
within an information system. laptop hard drives must be encrypted using either Bitlocker or other DAO-approved
encryption technology and must be labeled with “authorized/not authorized for travel” and “compliant with DAR policy.”
Information systems shall protect the confidentiality and integrity of information at rest.
177
10.17.21.1 SC-28(1) – Protection of Information at Rest: Cryptographic Protection (+Classified)

Implemented Planned
The IS implements DoD/NSA approved cryptographic mechanisms to prevent unauthorized disclosure and modification of
data at rest, to include mobile devices, CDs and other removable media (e.g., USB hard drives).
10.17.22 SC-38 – Operations Security – NEW BASELINE

Implemented Planned
The organization employs OPSEC safeguards to protect key organizational information throughout the system development
life cycle.
10.17.23 SC-39 – Process Isolation – NEW BASELINE

Implemented Planned
178

The IS maintains a separate execution domain for each executing process.
10.17.24 SC-42 – Sensor Capability and Data (+ Classified Overlay) – NEW

Implemented Planned
This control often applies to types of information systems or system components characterized as mobile devices, for
example, smart phones, tablets, and E-readers. These systems often include sensors that can collect and record data
regarding the environment where the system is in use. Sensors that are embedded within mobile devices include, for
example, cameras, microphones, Global Positioning System (GPS) mechanisms, and accelerometers.
Prohibits the remote activation of environmental sensing Click here to enter text.
capabilities unless determined to be essential for mission
execution
Provides an explicit indication of sensor use Click here to enter text.
10.17.24.1 SC-42(3) – Sensor Capability and Data: Prohibit Use of Services (+ Classified Overlay) – NEW
Implemented Planned
The organization prohibits the use of devices possessing environmental sensing capabilities within facilities.
179
180
SYSTEM AND INFORMATION INTEGRITY (SI)

10.18.1 SI-1 – System and Information Integrity Policy and Procedures
Implemented Planned
a. Develops, documents, and disseminates to all personnel:
1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities,
2. Procedures to facilitate the implementation of the system and information integrity policy and
associated system and information integrity controls; and
1. System and information integrity policy every 5 years; and
2. System and information integrity procedures at least annually.
181
10.18.2 SI-2 – Flaw Remediation

Implemented Planned
Flaw remediation refers to software patch management. Patch management is the systematic notification, identification,
deployment, installation, and verification of operating system and application software code revisions.
Organizations shall:
• Ensure system/network administrators routinely review vendor sites, bulletins, and notifications and proactively update
information systems with fixes, patches, definitions, service packs, or implementation of vulnerability mitigation strategies
with ISSM approval.
• Employ automated patch management tools on all components to the maximum extent supported by available tools to
facilitate flaw remediation.
By incorporating flaw remediation into ongoing configuration management processes, required/anticipated remediation
actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include, for example,
determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organization-
defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including,
for example, the security category of the information system or the criticality of the update (i.e., severity of the vulnerability
related to the discovered flaw). Organizations determine the degree and type of testing needed for the specific type of flaw
remediation activity under consideration and also the types of changes that are to be configuration-managed. In some
situations, organizations may determine that the testing of software and/or firmware updates is not necessary or practical,
for example, when implementing simple anti-virus signature updates.
The organization:
Identifies, reports and corrects IS flaws Click here to enter text.
Tests software updates related to flaw remediation for Click here to enter text.
effectiveness and potential side effects on
organizational information systems before installation
Installs security-relevant software and firmware updates Click here to enter text.
within thirty (30) days of release of the updates
Incorporates flaw remediation into the organizational Click here to enter text.
configuration management process
10.18.2.1 SI-2(1) – Flaw Remediation: Central Management – NEW BASELINE

Implemented Planned
182
The organization centrally manages the flaw remediation process.

10.18.2.2 SI-2(2) – Flaw Remediation: Automated Flaw Remediation Status

Implemented Planned
The organization employs automated scans at least quarterly to determine the state of information system components
with regard to flaw remediation.
10.18.2.3 SI-2(3) – Flaw Remediation: Time to Remediate Flaws/Benchmarks for Corrective Actions (- Standalone Overlay)
Implemented Planned
The organization shall measure the time between flaw identification and flaw remediation, comparing with a local historical
development of benchmarks, if available.
10.18.2.4 SI-2(4) – Flaw Remediation: Automated Patch Management Tools WITHDRAWN Incorporated into SI-2
10.18.2.5 SI-2(6) – Flaw Remediation: Removal of Previous Versions of Software/Firmware – NEW BASELINE
183
Implemented Planned
The organization removes previous versions of software and/or firmware components after updated versions have been
installed.
10.18.3 SI-3 – Malicious Code Protection

Implemented Planned
The organization:
Employs malicious code protection mechanisms at Click here to enter text.
information system entry and exit points to detect and
eradicate malicious code
Updates malicious code protection mechanisms Click here to enter text.
whenever new releases are available in accordance with
organizational configuration management policy and
procedures
Configures malicious code protection mechanisms to: Click here to enter text.
(a) Perform periodic scans of the information system at
least weekly and real-time scans of files from external
sources at endpoints and network entry/exit points as
files are downloaded, opened, or executed in
accordance with organizational security policy; (b) Block
and quarantine malicious code and send an alert to the
system administrator in response to malicious code
detection
Addresses the receipt of false positives during malicious Click here to enter text.
code detection and eradication and the resulting
potential impact on the availability of the information
system
184
10.18.3.1 SI-3(1) – Malicious Code Protection: Central Management (- Standalone Overlay)

Implemented Planned
The organization centrally manages malicious code protection mechanisms, e.g. client/server antivirus model, records of
malicious code protection updates; information system configuration settings and associated documentation.
10.18.3.2 SI-3(2) – Malicious Code Protection: Automatic Updates (- Standalone Overlay)

Implemented Planned
The IS automatically updates malicious code protection mechanisms (including signature definitions), i.e. after updates are
installed to the server.
10.18.3.3 SI-3(10) – Malicious Code Protection: Malicious Code Analysis – NEW BASELINE
Implemented Planned
The organization (a) employs specific tools and techniques to analyze the characteristics and behavior of malicious code; and
(b) incorporates the results from the analysis into organizational incident response and flaw remediation processes.
185

10.18.4 SI-4 – Information System Monitoring

.
Implemented Planned
The organization:
Monitors the information system to detect: (1) Attacks Click here to enter text.
and indicators of potential attacks in accordance with
the Service or Activity policy and (2) Unauthorized local,
network, and remote connections;
Identifies unauthorized use of the information system Click here to enter text.
through User Activity Monitoring tools, such as InTrust
Deploys monitoring devices: (i) strategically within the Click here to enter text.
information system to collect organization-determined
essential information; and (ii) at ad hoc locations within
the system to track specific types of transactions of
interest to the organization
Protects information obtained from intrusion-monitoring Click here to enter text.
tools from unauthorized access, modification, and
deletion
Heightens the level of information system monitoring Click here to enter text.
activity whenever there is an indication of increased risk
to organizational operations and assets, individuals,
other organizations, or the Nation based on law
enforcement information, intelligence information, or
other credible sources of information
Obtains legal opinion with regard to information system Click here to enter text.
monitoring activities in accordance with applicable
federal laws, Executive Orders, directives, policies, or
regulations
Provides information as needed to designated personnel Click here to enter text.
10.18.4.1 SI-4(1) – Information System Monitoring: System-Wide Intrusion Detection System (- Standalone Overlay)
186

Implemented Planned
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion
detection system (IDS).
10.18.4.2 SI-4(2) – Information System Monitoring: Automated Tools for Real-Time Analysis (- Standalone Overlay)
Implemented Planned
To the extent possible, the organization employs automated tools to support near real-time analysis of events.
10.18.4.3 SI-4(4) – Information System Monitoring: Inbound and Outbound Communications Traffic (- Standalone Overlay)
Implemented Planned
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic
include, for example, internal traffic that indicates the presence of malicious code within organizational information systems
or propagating among system components, the unauthorized exporting of information, or signaling to external information
systems. Evidence of malicious code is used to identify potentially compromised information systems or information system
components.
187

To the extent possible, the information system shall monitor inbound and outbound communications traffic continuously
for unusual or unauthorized activities or conditions.
10.18.4.4 SI-4(5) – Information System Monitoring: System Generated Alerts (- Standalone Overlay)
Implemented Planned
The information system alerts the ISSM/ISSO when the following indications of compromise or potential compromise occur:
audit record deletion or modification, alerts from malicious code detection mechanisms, intrusion detection or prevention
mechanisms, boundary protection mechanisms such as firewalls, gateways, and routers.
10.18.4.5 SI-4(10) – Information System Monitoring: Visibility of Encrypted Communications (- Standalone Overlay) – NEW
BASELINE
Implemented Planned
The organization makes provisions so that Program-related encrypted communications traffic is visible to deployed IS
monitoring tools.
10.18.4.6 SI-4(11) – Information System Monitoring: Analyze Communications Traffic Anomalies (- Standalone & CRN Overlay)
188

Implemented Planned
The organization analyzes outbound communications traffic at the external boundary of the IS and selected
subnetworks/subsystems to discover anomalies. Anomalies within organizational information systems include, for example,
large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications
with suspected malicious external addresses.
10.18.4.7 SI-4(12) – Information System Monitoring: Automated Alerts (- Standalone Overlay)

Implemented Planned
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual
activities with security implications: at a minimum, unauthorized system access attempts, unauthorized system usage.
Email or security dashboard alerts meet the intent of this control and can be set up to summarize user unauthorized access
attempts to files or authentication failures.
10.18.4.8 SI-4(14) – Information System Monitoring: Wireless Intrusion Detection (- Standalone Overlay)
Implemented Planned
189

The organization employs a capability, such as a wireless IDS, to identify rogue wireless devices and to detect attack
attempts and potential compromises/breaches to information systems.
10.18.4.9 SI-4(15) – Information System Monitoring: Wireless to Wireline Communications (- Standalone Overlay)
Implemented Planned
If appropriate, the organization shall employ an IDS to monitor wireless communications traffic as the traffic passes from
wireless to wireline networks.
10.18.4.10 SI-4(16) – Information System Monitoring: Correlate Monitoring Information (- Standalone Overlay)
Implemented Planned
To the extent possible, the organization shall correlate information from monitoring tools employed throughout the
information system to achieve organization-wide situational awareness. This control supports insider threat mitigation.
10.18.4.11 SI-4(19) – Information System Monitoring: Individuals Posing Greater Risk (+ Classified Overlay) – NEW BASELINE
190
Implemented Planned
The organization implements additional monitoring measures of individuals who have been identified by organization
and/or other authorized sources as posing an increased level of risk. Indications of increased risk from individuals can be
obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement
organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal,
security, and human resources officials within organizations conducting such monitoring and complies with federal
legislation, Executive Orders, policies, directives, regulations, and standards.
10.18.4.12 SI-4(20) – Information System Monitoring: Privileged User – NEW BASELINE

Implemented Planned
The organization implements additional monitoring or privileged users. Additional monitoring may be instituted as part of a
new-user policy, upon notice of personnel termination (e.g., user gives two weeks’ notice), or the result of incident
response. This control may be implemented and defined at the time of incident. Example: Following an incident related to
incorrect marking, the GSSO/institutes probationary period of 30 days during which time a designated security person
reviews all documents produced by the individual.
10.18.4.13 SI-4(21) – Information System Monitoring: Probationary Periods (+ Classified Overlay) - NEW
Implemented Planned
191
The organization implements additional monitoring of individuals during probationary periods.

10.18.4.14 SI-4(22) – Information System Monitoring: Unauthorized Network Services (- Standalone Overlay) – NEW BASELINE
Implemented Planned
Information system detects network services that have not been authorized or approved by defined authorized or approval
processes and audits and/or alerts the ISSM/ISSO.
10.18.4.15 SI-4(23) – Information System Monitoring: Host-Based Devices (- Standalone Overlay) – NEW BASELINE
Implemented Planned
The organization implements host-based monitoring at identified IS components. This includes monitoring, for example, of
I/O and endpoint services.
10.18.5 SI-5 – Security Alerts, Advisories, and Directives

Implemented Planned
192

The organization:
Receives information system security alerts, advisories, Click here to enter text.
and directives from designated external organizations on
an ongoing basis. This includes, but is not limited to, the
DHS US-CERT, SANS Internet Storm Center (ISC) and
USCYBERCOM
Generates internal security alerts, advisories, and Click here to enter text.
directives as deemed necessary
Disseminates security alerts, advisories, and directives to Click here to enter text.
ISSM, ISSOs, and system administrators and security
personnel, as appropriate
Implements security directives in accordance with Click here to enter text.
established time frames, or notify the issuing
organization of the degree of noncompliance
10.18.5.1 SI-7(14) – Software, Firmware, and Information Integrity: Binary or Machine Executable Code – NEW BASELINE
Implemented Planned
The organization (a) Prohibits the use of binary or machine executable code from sources with limited or not warranty and
without the provision of source code; and (b) Provides exceptions to the source code requirement only for compelling
mission/operational requirements and with the approval of the AO.
10.18.6 SI-10 – Information Input Validation (- Standalone Overlay) – NEW BASELINE

Implemented Planned
193

The IS checks the validity of information all inputs to web/application servers, database servers, and any system or
application input that might receive a crafted exploit toward executing some code or buffer overflow.
10.18.7 SI-11 – Error Handling

Compensatory Control (Provide justification below) Not applicable (Provide justification below)
Generates error messages that provide information Click here to enter text.
necessary for corrective actions without revealing
sensitive or potentially harmful information in error logs
and administrative messages that could be exploited by
adversaries
Reveals error messages only to authorized personnel Click here to enter text.
10.18.8 SI-12 – Information Handling and Retention

Implemented Planned
The organization handles and retains information within the IS and information output from the system in accordance with
applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements. ASPD
provides guidance for information retention.
194
195
PROGRAM MANAGEMENT (PM) – NEW BASELINE

All organizations are required to establish a Program cybersecurity/information assurance (CS/IA) program. PM-1 – Information
Security Program Plan
10.19.1 PM-1 Information Security Program Plan

The organization:
The SSP can function as the Security Plan for ISSMs.
The organization: a. Develops and disseminates an Click here to enter text.
organization-wide information security program plan
that: 1. Provides an overview of the requirements for the
security program and a description of the security
program management controls and common controls in
place or planned for meeting those requirements; 2.
Includes the identification and assignment of roles,
responsibilities, management commitment, coordination
among organizational entities, and compliance; 3.
Reflects coordination among organizational entities
responsible for the different aspects of information
security (i.e., technical, physical, personnel, cyber-
physical); and 4. Is approved by a senior official with
responsibility and accountability for the risk being
incurred to organizational operations (including mission,
functions, image, and reputation), organizational assets,
individuals, other organizations, and the Nation;
Reviews the organization-wide information security Click here to enter text.
program plan [Annually];
Updates the plan to address organizational changes and Click here to enter text.
problems identified during plan implementation or
security control assessments; and
Protects the information security program plan from Click here to enter text.
unauthorized disclosure and modification.
10.19.2 PM-2 – Senior Information Security Officer

Implemented Planned
196

The organization appoints a senior information security officer (SISO) with the mission and resources to coordinate, develop,
implement, and maintain an organization-wide information security program. For programs, the PM can function as the
SISO or assign the duties to the ISSM.
10.19.3 PM-3 – Information Security Resources

The organization:
Ensures that all capital planning and investment requests Click here to enter text.
include the resources needed to implement the
information security program and documents all
exceptions to this requirement
Employs a business case/Exhibit 300/Exhibit 53 to record Click here to enter text.
the resources required
Ensure that information security resources are available Click here to enter text.
for expenditure as planned
10.19.4 PM-4 – Plan of Action and Milestones Process

DSS requires Programs to provide their POA&Ms for review on a quarterly basis or as requested via data calls.
The initiation if the POA&M is created by and maintained by the ISSM and approved as part of the SSP. The
Organization/ISSM us responsible for the life cycle maintenance of the POA&M and the execution of the required mitigation
actions.
The organization:
Implements a process for ensuring that plans of action Click here to enter text.
and milestones for the security program and associated
organizational information systems: (1) Are developed
and maintained; (2) Document the remedial information
security actions to adequately respond to risk to
organizational operations and assets, individuals, other
197

organizations, and the Nation; and (3). Are reported in
accordance with reporting requirements.
Reviews POA&Ms for consistency with organizational risk Click here to enter text.
management strategy and organization wide-priorities
for risk response actions
10.19.5 PM-5 – Information System Inventory

Implemented Planned
The organization develops and maintains an inventory of its information systems.
Each ISSM is required to maintain an inventory of information systems under its purview; ensuring information related to
the number, size, and mission information system is maintained.
10.19.6 PM-6 – Information Security Measures of Performance

Implemented Planned
The organization develops, monitors, and reports on the results of information security measures of performance, e.g.
metrics. See NIST SP 800-55, Performance Measurement Guide for Information Security, for metrics examples.
Information security measures monitor the accomplishment of goals and objectives by quantifying the implementation,
efficiency, and effectiveness of security controls; analyzing the adequacy of information security program activities;
identifying possible improvement actions.
A. Number of employees who received annual security awareness training;

B. Percent of information systems with approved ATOs;
C. Number of privileged users;
D. Number of low and high risk Data Transfer Agents;
E. Other measurements as required by the DAO in accordance with the CSAs Assessment and Authorization Manual.
198

10.19.7 PM-7 – Enterprise Architecture

Implemented Planned
The organization develops an enterprise architecture with consideration for information security and the resulting risk to
organization operations, organizational assets, individuals, other organizations, and the Nation and ensures security
considerations are addressed by the organization early in the system development life cycle and that the requirements and
controls assigned are directly and explicitly related to the organization’s mission/business processes.
10.19.8 PM-8 – Critical Infrastructure Plan

Implemented Planned
The organization addresses information security issues in the development, documentation, and updating of a critical
infrastructure and key resources protection plan.
Identifying and documenting critical infrastructure and key resources provides the organization with the fundamental
understanding of what assets need protection, at what level, ensures focus on the mission/business objectives, and supports
contingency planning [CP-2].
199
10.19.9 PM-9 – Risk Management Strategy

The risk management strategy at the Program Level incorporates the risk assessment results from the risk assessment
reports provided for the security authorization of the information systems (RA-3), as well as other sources internal and
external to the organization resulting in a comprehensive risk management strategy.
The organization:
Develops a comprehensive strategy to manage risk to Click here to enter text.
organizational operations and assets, individuals, other
organizations, and the Nation associated with the
operation and use of information systems;
Implements the risk management strategy consistently Click here to enter text.
across the organization;
Reviews and updates the risk management strategy at Click here to enter text.
least annually or as required to address organizational
changes
10.19.10 PM-10 – Security Authorization Process

The organization must implement the Risk Management Framework (RMF) and incorporate the processes required for
security authorization in accordance with the requirements of the NISPOM and CSAs Assessment and Authorization Manual.
The organization:
Manages (i.e., documents, tracks, and reports) the The ISSM manages the process for Facility.
security state of organizational IS and the environments
in which those systems operate through the security
authorization process
Designates individuals to fulfill specific roles and Click here to enter text.
responsibilities within the organizational risk
management process (i.e., ISSM/ISSO)
Fully integrates the security authorization processes into Click here to enter text.
an organization-wide risk management program
200
10.19.11 PM-11 – Mission/Business Process Definition

The organization:
Defines mission/business processes with consideration Click here to enter text.
for information security and the resulting risk to
organizational operations, organizational assets,
individuals, other organizations, and the Nation
Determines information protection needs arising from Click here to enter text.
the defined mission/business processes and revises the
processes as necessary, until achievable protection needs
are obtained
10.19.12 PM-12 – Insider Threat Program

Implemented Planned
The organization implements an insider threat program that includes a cross discipline insider threat incident handling team
(i.e., ISSM, PM, etc.) The organization required to comply with the requirements of the NISP Insider Threat Program.
10.19.13 PM-13 – Information Security Workforce

Implemented Planned
The organization establishes an information security workforce development and improvement program.
201

Appropriate staff is required to establish and maintain an adequate information security workforce certified in accordance
with the requirements of DOD 8570.01-M if imposed by contract.
10.19.14 PM-14 – Testing, Training, and Monitoring

Each Organization required to consider OPSEC as it pertains to their information security if contractually imposed.
The organization:
Implements a process for ensuring that organizational Click here to enter text.
plans for conducting security testing, training, and
monitoring activities associated with organizational
information systems: (1) Are developed and maintained;
and (2) Continue to be executed in a timely manner
Reviews testing, training, and monitoring plans for Click here to enter text.
consistency with the organizational risk management
strategy and organization-wide priorities for risk response
actions
10.19.15 PM-15 – Contact with Security Groups and Associations

Implemented Planned
The organization must provide oversight for the security testing, training, and monitoring activities conducted within their
facility and ensure that those activities are coordinated.
The organization establishes and institutionalizes contact with selected groups and associations within the security
community: a. To facilitate ongoing security education and training for organizational personnel; b. To maintain currency
with recommended security practices, techniques, and technologies; and c. To share current security-related information
including threats, vulnerabilities, and incidents.
202

10.19.16 PM-16 – Threat Awareness Program

Implemented Planned
The organization must create and follow procedures that outlines procedures to release information below the accredited
level of the system. A record must be maintained and the trusted download agent must be trained. A comprehensive
review should be completed by knowledgeable users.
The organization implements a threat awareness program that includes a cross-organization information-sharing capability.
203

DSS RMF SSP Template M-L-L With Controls Overlays - 9 May 16 v5

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

DSS RMF SSP Template M-L-L With Controls Overlays - 9 May 16 v5

Încărcat de

Drepturi de autor:

Formate disponibile

System Security Plan (SSP)

System Name Click here to enter text.

Review and Approval of Controls

Program & Cybersecurity/Information Assurance

Operational The system is operating and in production.

Under Development The system is being designed, developed, or implemented

Major Modification The system is undergoing a major change, development, or transition.

Other Explain: Click here to enter text.

5.2.2 Categorization Detailed Results

Information Impact Categorization

5.2.2.1 System Security Impact Categorization

5.2.2.2 Risk Adjusted System Impact Categorization

5.2.3 Control Selection

6 KEY ROLES AND RESPONSIBILITIES

Delegated AO-Representative (DAO-R)

System Certifying Authority (SCA)

Organization: Click here to enter text.

Information System Owner (ISO)/Program Manager (PM)

Information System Security Manager (ISSM)

System Administrator/Network Administrator (SA/NA)

Data Transfer Agent (DTA)/Trusted Download

Is the system approved for unattended processing? Yes

Minimum Clearance Minimum Access Citizenship Foreign National

Top Secret SAP Yes

SYSTEM CLASSIFICATION LEVEL(S) & COMPARTMENT(S)

UNIQUE DATA HANDLING REQUIREMENTS

INFORMATION ACCESS POLICIES

8 GENERAL SYSTEM DESCRIPTION/PURPOSE

USER ROLES AND ACCESS PRIVILEGES

NIST 800-53, Rev. 4/DAA PM Reference: PL-2, AC-17, CA-3

This system connects to following system(s):

INDIRECT CONNECTIONS/INFORMATION SHARING

MEMORANDA OF UNDERSTANDING (MOU), MEMORANDA OF AGREEMENT (MOA), CO-UTILIZATION

NIST 800-53, Rev. 4/DAA PM Reference: AC-20

10 BASELINE SECURITY CONTROLS

ACCESS CONTROL (AC)

CONTINUOUS MONITORING STRATEGY Click here to enter text.

10.2.2 AC-2 – Account Management

Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.

Recommended Continuous Monitoring Frequency: Annually Program Frequency: Choose an item.

CONTINUOUS MONITORING STRATEGY Click here to enter text.

Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.

Compensatory Control (Provide justification below) Tailored In (Provide justification below)

CONTINUOUS MONITORING STRATEGY Click here to enter text.

10.2.2.2 AC-2(2) – Account Management: Removal of Temporary/Emergency Accounts (- Standalone Overlay)

Click here to enter text.

CONTINUOUS MONITORING STRATEGY Click here to enter text.

10.2.2.3 AC-2(3) – Account Management: Disable Inactive Accounts (- Standalone Overlay)

Click here to enter text.

Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.

CONTINUOUS MONITORING STRATEGY Click here to enter text.

10.2.2.4 AC-2(4) – Account Management: Automated Audit Actions

CONTINUOUS MONITORING STRATEGY Click here to enter text.

10.2.2.5 AC-2(5) – Account Management: Inactivity Logout

CONTINUOUS MONITORING STRATEGY Click here to enter text.

10.2.2.6 AC-2(7) – Account Management: Role Based Schemes (- Standalone Overlay)

Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.

Tailored Out (Provide justification below) Modified (Provide justification below)

Control Origination (check all that apply):

CONTINUOUS MONITORING STRATEGY Click here to enter text.

Recommended Continuous Monitoring Frequency: Quarterly Program Frequency: Choose an item.

CONTINUOUS MONITORING STRATEGY Click here to enter text.

CONTINUOUS MONITORING STRATEGY Click here to enter text.