Best Security Practices Checklist

Best Practices Security Checklist V2R1 January 29, 2007 Field Security
Operations
Checklist Defense Information
Systems Agency
Checklist
Unclassified UNTIL FILLED IN

CIRCLE ONE
FOR OFFICIAL USE ONLY (mark each page)
CONFIDENTIAL and SECRET (mark each page and each finding)
Classification is based on classification of system reviewed:
Unclassified System = FOUO Checklist
Confidential System = CONFIDENTIAL Checklist
Secret System = SECRET Checklist
Top Secret System = SECRET Checklist
Reviewer: Date:
System:
Totals: Comments:
Description:
Documentation:
Documentation:
Total:
STIGs do not apply to the service provided architecture,

but STIGs must apply to the DoD Client architecture.
Verify the application will function using a STIGed
Client workstation and STIGed firewall.
1
UNCLASSIFIED
Best Practices Security Checklist V2R1 January 29, 2007 Field Security Operations
Checklist Defense Information Systems Agency
General
Vulnerability IA Description Criteria Documentation Demonstration
Control Criteria Criteria
1 Does the vendor have a DCSD-1 Does not have a Does not have a Does not have a
documented and provable policy or cannot policy or policy is policy or Site
security policy for IT? describe policy = 0 not documented or cannot demonstrate
documented but policy = 0
List of Items to be Included Can describe does not include any
1. Statement of Purpose policy = 1 of the noted Site can
2. Organization structure items = 0 demonstrate policy
3. Physical Security
but does not include
4. Hiring & termination
procedures
Documented & any of the noted
5. Data Classification includes 1-9 of 18 items = 1
6. Access Control items = 1
7. Operating Systems Site can
8. Hardware & Software Documented & demonstrate policy
9. Internet Use included 10 – 18 & it includes 1-9 of
10. Email
11. Technical Support
items = 2 18 items = 2
12. Virus protection, firewall,
VPN, remote access Site can
13. Backups & disaster recovery demonstrate policy
14. Intrusion detection & incident & it includes 10 –
response 18 of 18 items = 3
15. Personnel Security
16. Software Development
17. Outsourcing (off shore)
18. Help Desk Development
Score
2
UNCLASSIFIED

2 Is this policy reviewed and DCAR-1 Does not have a Does not have a Not Applicable
updated on a regular basis? policy or Cannot policy or Policy
describe review & review & update is
Question to Ask update process = 0 not documented = 0
1. How often is the policy
updated?
Can describe Can provide
review & update documentation for
process = 1 review & update to
be completed less
frequently than
yearly = 1
Can provide
documentation for
review & update to
be completed yearly
or more frequently
=2
Score
3
UNCLASSIFIED

3 Does the vendor have Does not have a Does not have a Not Applicable
management buy-in to corporate security corporate security
security? policy with policy with
management management
approval or cannot approval or cannot
describe their provide
corporate security documentation of
policy = 0 their corporate
security policy = 0
Can describe their
corporate security Can provide
policy = 1 documentation of
their corporate
security policy = 2
Score
4
UNCLASSIFIED
Access Control
4 Is the application PKI enabled DCBP-1 Application is not Cannot provide Cannot demonstrate
for the client? DCMC- PKI enabled for the documentation that the application is
1 client= 0 describes PKI enabled = 0
Question to Ask DCNR-1 application PKI
1. Does the application use DoD IAKM-1 Can describe enabled for the Can demonstrate
PKI or non-DoD PKI? IATS-1 how their application client = 0 the application uses
uses PKI for their non-DoD PKI = 1
client = 1 Can provide
documentation the Can demonstrate
application uses the application uses
non-DoD PKI = 1 DoD PKI = 2
Can provide
documentation the
application uses
DoD PKI = 2
Score
5
UNCLASSIFIED

5 Is the application PKI enabled DCBP-1 Application is not Application is not Application is not
for the server and configured DCMC-1 PKI enabled for PKI enabled for PKI enabled for the
to require PKI for DCNR-1 server & configured server & configured server & configured
authentication? IAKM-1 to require PKI for to require PKI for to require PKI for
IATS-1 authentication = 0 authentication or authentication or
Question to Ask cannot provide cannot demonstrate
1. Does the application use DoD Can describe documentation = 0 =0
PKI or non-DoD PKI? how their application
is PKI enabled for Can provide Can demonstrate
the server & documentation the application is
configured to require application is non- non-DoD PKI
PKI for DoD PKI enabled enabled for the
authentication = 1 for the server & server & configured
configured to to require non-DoD
require non-DoD PKI for
PKI for authentication = 2
authentication = 1
Can demonstrate
Can provide application is DoD
documentation PKI enabled for the
application is DoD server & configured
PKI enabled for the to require DoD PKI
server & configured for
to require DoD PKI authentication = 3
for
authentication = 2
Score
6
UNCLASSIFIED

6 Does the vendor have robust PRAS-1 Does not have robust Do not have robust Do not have robust
revocation checking? revocation revocation revocation
checking = 0 Checking or cannot checking or cannot
provide demonstrate = 0
Does have robust documentation = 0
revocation Can demonstrate
checking = 1 Can provide process = 3
documentation = 2
Score

7 Is there a registration process PRAS-1 Does not have Does not have Does not have
for new users? EBBD-2 registration process registration process registration process
for new users = 0 for new users or for new users or
Question to Ask process is not cannot demonstrate
1. Is the registration process Does have documented = 0 registration process
provided to new users? registration process =0
for new Can provide
users = 1 documentation but it Can demonstrate
is not provided to new user
new users = 1 registration process
=3
Can provide
documentation & it
is provided to new
users = 2
Score
7
UNCLASSIFIED

8 Does the vendor have an PRAS-1 Does not have a Does not have a Does not have a
access request form such as ECAN-1 form = 0 form or cannot form or cannot
Form 2875, System ECPA-1 provide form = 0 provide form = 0
Authorization Access Request Can describe
(SAAR)? form = 1 Can provide blank Can provide
form & it contains completed form &
List of Items to be Included all of the asterisked it contains all of the
1. * Type of request (Initial, items = 1 asterisked
Modification, Deactivation) items = 1
2. * System Name
3. System Location Can provide blank
4. * Date form & it contains Can provide
5. * Name all of the asterisked completed form &
6. Social Security items & all of the it contains all of the
Number/Employee Number non-asterisked asterisked
7. Organization
8. Phone Number
items = 2 items & 1 – 4 of the
9. * Email Address 7 non-asterisked
10. Job Title items = 2
11. Physical Address
12. * Citizenship Can provide
13. User Agreement
14. * Justification for
completed form &
Access/Need to Know it contains all of the
15. * Type of Access asterisked
16. * Supervisor Approval items & 5 - 7 of the
17. * Security Manager 7 non-asterisked
Verification
18. * Verification of Need to
items = 3
Know
Score
8
UNCLASSIFIED

9 Does the vendor have a role- DCFA-1 Does not have a Does not have a Does not have a
based policy for user access? DCSD-1 role-based policy for role-based policy for role-based policy
ECCD-1 user access or cannot user access or for user access or
Questions to Ask ECPA-1, describe their role- cannot provide cannot demonstrate
1. Do administrators have an ECAN-1 based policy = 0 documentation or their policy = 0
account for administrator ECIC-1 can provide
work only & have an ECLP-1 Can describe their documentation but
additional account for other
purposes?
IAAC-1 role-based policy for the documentation Can demonstrate
2. Are administrator privileges PRNK-1 user access = 1 includes answers to the answers to 1 - 2
only granted to administrators only 1 - 2 of of 5 questions = 1
& not to all users? questions = 0
3. Are limits put on each user Can demonstrate
who has access to the Can provide the answers to 3 - 4
application?
4. Are user privileges based on
documentation & of 5
need-to-know? the documentation questions = 2
5. Are permissions periodically includes answers to
reviewed to include 3 - 4 of questions Can demonstrate
Superusers? =1 the answers to 5 of
questions = 3
Can provide
documentation &
the documentation
includes answers to
all of the 5 questions
=2
Score
9
UNCLASSIFIED

10 Is there a process for checking IAAC-1 Does not have a Does not have a Does not have a
for inactive and terminated process for checking process for checking process for
users? for inactive & for inactive & checking for
terminated terminated inactive &
users or cannot users or the process terminated
describe process = 0 is not documented users or the process
=0 cannot be
Can describe their demonstrated = 0
process for checking Can provide
for inactive & documentation for a Can demonstrate
terminated manual process = 1 manual process = 2
users = 1
Can provide Can demonstrate
documentation for automated
an automated process = 3
process = 2
Score
10
UNCLASSIFIED

11 What is the period for IAIA-1 Does not have a Does not have a Does not have a
revocation of users? (the period for revocation period for period for
length of the contract, one of users or cannot revocation of revocation of
year or which ever comes first) describe period of users or cannot users or cannot
revocation = 0 provide demonstrate that
Question to Ask documentation = 0 users are revoked
1. What is the length of the Can describe period =0
revocation period? for revocation of Can provide
users = 1 documentation for Can demonstrate
revocation of users the revocation of
& the period is less users & the period
frequently than the is less frequently
length of the than the length of
contract or one the contract or one
year = 1 year = 2

documentation for the revocation of
revocation of users users & the period
& the period is the is the length of the
length of the contract, or one
contract, or one year or more
year or more frequently = 3
frequently = 2
Score
11
UNCLASSIFIED

12 Does the vendor have a strong IAIA-1 Does not have a Does not have a Does not have a
password policy? password policy or password policy or password policy or
cannot describe policy is not cannot demonstrate
List of Items to be Included policy = 0 documented = 0 their policy = 0
1. A minimum of nine characters
2. Includes at least one Can describe their Can provide Can demonstrate
uppercase alphabetic password policy = 1 documentation for their policy & it
character
3. Includes at least one their policy & it includes 1 – 4 of
lowercase alphabetic includes 1 – 5 of listed items = 1
character listed items = 1
4. Includes at least one non- Can demonstrate
alphanumeric (special) Can provide their policy & it
character
5. Includes at least one numeric
documentation for includes 5 – 7 of
character their policy & it listed items = 2
6. Expires after 60 days includes 6 – 10 of
7. Is different than the previous listed items = 2 Can demonstrate
10 passwords used their policy & it
8. Is changeable by the
administrator at any time
includes 8 - 10 of
9. Is changeable by the listed items = 3
associated user only once in a
24 hour period (for human
user accounts)
10. Is not changeable by users
other than the administrator or
the user with which the
password is associated
Score
12
UNCLASSIFIED

13 Does the vendor permit the IAIA-1 Uses default access Uses default access Uses default access
use of default accounts, default control control control
passwords, community strings mechanisms or mechanisms or mechanisms or
or other default access control cannot describe the cannot provide cannot demonstrate
mechanisms? prohibition of these documentation for that these are not in
mechanisms = 0 prohibiting these use = 0
mechanisms = 0
Can describe how Can demonstrate
they do not use Can provide that no default
default access control documentation that access control
mechanisms = 1 no default access mechanisms are
control mechanisms used = 3
are used = 2
Score
13
UNCLASSIFIED

14 Does the vendor permit the IAIA-1 Permits shared Permits shared Permits shared
use of shared accounts? accounts or cannot accounts or cannot accounts or cannot
describe how shared provide demonstrate that no
accounts are not documentation shared accounts are
permitted = 0 which prohibits used = 0
shared accounts = 0
shared accounts are Can provide that no shared
not permitted = 1 documentation that accounts are
prohibits shared used = 3
accounts = 2
Score
14
UNCLASSIFIED
Confidentiality
15 Does the vendor utilize DCSR-2 Does not have Does not have Does not have
appropriate file permissions ECCD-1 appropriate file appropriate file appropriate file
on sensitive data? ECIC-1 permissions on permissions on permissions on
ECPA-1 sensitive data or sensitive data or sensitive data or
Question to Ask ECTP-1 cannot describe their cannot provide cannot demonstrate
1. Are file permissions based on file permissions on documentation on file permissions on
roles & need to know? sensitive data = 0 sensitive data file sensitive data = 0
permissions = 0
Can describe their Can demonstrate
file permissions & Can provide that system file
they are appropriate documentation that permissions are
for sensitive data = 1 system file appropriate for
permissions are sensitive data = 2
appropriate for
sensitive data = 1
Can demonstrate
Can provide that system file &
documentation that application file
system file & permissions are
application file appropriate for
permissions are sensitive data = 3
appropriate for
sensitive data = 2
Score
15
UNCLASSIFIED

16 Are authentication credentials DCNR-1 Authentication Authentication Authentication
stored in an encrypted DCSR-2 credentials are not credentials are not credentials are not
format? ECCR-1 stored in encrypted stored in encrypted stored in encrypted
IAIA-1 format or cannot format or cannot format or cannot
IAKM-1 describe how provide demonstrate that
encryption is used to documentation of authentication
store authentication the requirement = 0 credentials are
credentials = 0 stored in encrypted
Can provide format = 0
Can describe how documentation that
authentication authentication Can demonstrate
credentials are stored credentials are that authentication
in encrypted format stored in encrypted credentials are
=1 format = 2 stored in encrypted
format = 3
Score
16
UNCLASSIFIED

17 Is NIST-certified DCMC-1 NIST-certified NIST-certified NIST-certified
cryptography (SSL) used with DCNR-1 cryptography is not cryptography is not cryptography is not
unclassified, sensitive web DCSR-2 used for unclassified, used for used for
traffic? ECCT-1 sensitive web unclassified, unclassified,
ECNK-1 traffic or cannot sensitive web sensitive web
describe how it is traffic or cannot traffic or cannot
used = 0 provide demonstrate how it
documentation of is used = 0
Can describe how the requirement to
SSL is used with use NIST-certified Can demonstrate
unclassified, cryptography = 0 that SSL is used
sensitive web traffic with unclassified,
=1 Can provide sensitive web traffic
documentation that =3
SSL is used with
unclassified,
sensitive web traffic
=2
Score
17
UNCLASSIFIED

18 Is NIST-certified DCMC-1 NIST-certified NIST-certified NIST-certified
cryptography (SSL) used to DCNR-1 cryptography is not cryptography is not cryptography is not
protect DoD sensitive data and DCSR-2 used to protect DoD used to protect DoD used to protect DoD
data in transit? ECCT-1 Sensitive data & data Sensitive data & Sensitive data &
ECNK-1 in transit or cannot data in transit or data in transit or
describe how it is cannot provide cannot demonstrate
used = 0 documentation this requirement = 0
which states this
Can describe how requirement = 0 Can demonstrate
SSL is used to that SSL is used to
protect DoD Can provide protect DoD
Sensitive data & data documentation that Sensitive data &
in transit = 1 SSL is used to data in transit = 3
protect DoD
Sensitive data &
data in transit = 2
Score
18
UNCLASSIFIED

19 Are the authentication DCNR-1 Authentication Authentication Authentication
credentials encrypted during DCSR-2 credentials are not credentials are not credentials are not
transmission? ECCR-1 encrypted during encrypted during encrypted during
IAIA-1 transmission or transmission or transmission or
IAKM-1 cannot describe how cannot provide cannot demonstrate
they are encrypted documentation of this requirement = 0
=0 this requirement = 0
Can demonstrate
Can describe how Can provide that authentication
authentication documentation that credentials are
credentials are authentication encrypted during
encrypted during credentials are transmission = 3
transmission = 1 encrypted during
transmission = 2
Score
19
UNCLASSIFIED

20 Does the vendor maintain DCFA-1 Does not maintain Does not maintain Does not maintain
separation of data to prevent DCSR-1 separation of data or separation of data or separation of data
disclosure of DoD ECIC-1 cannot describe how cannot provide or cannot
information? data will be separated documentation demonstrate the
=0 requiring separation separation of data =
of data = 0 0
Can describe how
they will maintain Can provide Can demonstrate
separation of data documentation that that Vendor does
= 1 Vendor does maintain separation
maintain separation of data = 3
of data = 2
Score
20
UNCLASSIFIED
Integrity
21 Does the vendor have a trust Does not have a trust Does not have a Does not have a
mark or site seal to validate mark or site seal or trust mark or site trust mark or site
users have reached the vendor cannot describe their seal or this seal or cannot show
site? trust mark or site seal requirement is not their trust meal or
=0 documented = 0 site seal = 0
Has a trust mark or Can provide Can show that

site seal = 1 documentation that Vendor has a trust
Vendor has a trust mark or site seal =
mark or site seal = 2 3
Score

22 Are the documents loaded to ECVP-1 Does not virus scan Does not virus scan Does not virus scan
the vendor site scanned for documents prior to documents prior to documents prior to
viruses prior to posting? posting or cannot posting or process is posting or cannot
describe their not documented = 0 demonstrate
scanning process = 0 scanning = 0
Can provide
Can describe their documentation that Can demonstrate
process for virus Vendor does virus that Vendor does
scanning documents scan documents virus scan
prior to posting = 1 prior to posting = 2 documents prior to
posting = 3
Score
21
UNCLASSIFIED

23 Are virus signatures updated ECVP-1 Virus signatures are Virus signatures are Virus signatures are
at least every 14 days? not updated at least not updated at least not updated at least
every 14 days or every 14 days or every 14 days or
Question to Ask vendor cannot update process is update process
1. Is the process manual or describe update not documented = 0 cannot be
automated? process = 0 demonstrated = 0
Can provide
Can describe process documentation that Can demonstrate
used to update Virus Virus signatures are that Virus
signatures at least updated at least signatures are
every 14 days = 1 every 14 days using updated at least
a manual process every 14 days using
=1 a manual process
=2
Can provide
documentation that Can demonstrate
Virus signatures are that Virus
updated at least signatures are
every 14 days using updated at least
a automated process every 14 days using
=2 a automated process
=3
Score
22
UNCLASSIFIED

24 Does the vendor scan the ECVP-1 Does not scan for Does not scan for Does not scan for
server for viruses on a regular viruses on a regular viruses on a regular viruses on a regular
basis? basis or cannot basis or cannot basis or cannot
describe scanning provide demonstrate
Question to Ask process = 0 documentation of scanning = 0
1. How often does the vendor scanning process
scan for viruses? Can describe =0 Can demonstrate
scanning process & that Vendor scans
how frequently Can provide for viruses less
scanning is done = 1 documentation that frequently than
Vendor scans for weekly = 2
viruses less
frequently than Can demonstrate
weekly = 1 that Vendor scans
for viruses weekly
Can provide or more frequently
documentation that =3
Vendor scans for
viruses weekly or
more frequently = 2
Score
23
UNCLASSIFIED

25 Does the vendor scan the ECVP-1 Does not scan for Does not scan for Does not scan for
server for spyware on a spyware on a regular spyware on a spyware on a
regular basis? basis or cannot regular basis or regular basis or
describe scanning cannot provide cannot demonstrate
Question to Ask process = 0 documentation of scanning process
2. How often does the vendor process= 0 =0
scan for spyware? Can describe process
used for scanning for Can provide Can demonstrate
spyware & how documentation that that Vendor scans
frequently scanning Vendor scans for for spyware less
is completed = 1 spyware less frequently than
frequently than weekly = 2
weekly = 1
Can demonstrate
Can provide that Vendor scans
documentation that for spyware weekly
Vendor scans for or more frequently
spyware weekly or =3
more frequently = 2
Score
24
UNCLASSIFIED

26 Does the vendor scan the ECVP-1 Vendor does not scan Vendor does not Vendor does not
server for adware on a regular for adware on a scan for adware on a scan for adware on
basis? regular basis or regular basis or a regular basis or
cannot describe cannot provide cannot demonstrate
Question to Ask scanning process = 0 documentation of scanning process
1. How often does the vendor scanning = 0 =0
scan for adware? Vendor can describe
process used to scan Can provide Can demonstrate
for adware & how documentation that that Vendor scans
frequently scanning Vendor scans for for adware less
is completed = 1 adware less frequently than
frequently than weekly = 2
weekly = 1
Can demonstrate
Can provide that Vendor scans
documentation that for adware weekly
Vendor scans for or more frequently
adware weekly or =3
more frequently = 2
Score
25
UNCLASSIFIED
Availability
27 Does the vendor have a policy COED-1 Does not have a Does not have a Does not have a
for backups? CODB-1 policy for backups or policy for backups policy for backups
CODB-2 cannot describe or cannot provide or cannot
List of Items to be Included COTR-1 backup policy = 0 documentation of demonstrate
1. Schedule for regular backups policy or policy backups = 0
2. Backups to be stored off-site Vendor can describe does not include any
3. Recovery Plan
4. Clearly defined activities &
policy for backups of the items listed Can demonstrate
responsibilities of individuals = 1 =0 that Vendor has
5. Policy should be tested policy and it
annually Can provide includes 1 – 2 of
6. Personnel trained annually documentation that listed items = 1
7. Backups should maintain
separation of DoD data
Vendor has policy
& it includes 1 – 3 Can demonstrate
of listed items = 1 that Vendor has
policy and it
Can provide includes 3 - 4 of
documentation that listed items = 2
Vendor has policy
& it includes 4 - 7 of Can demonstrate
listed items = 2 that Vendor has
policy and it
includes 5 - 7 of
listed items = 3
Score
26
UNCLASSIFIED

28 Does the vendor have a COSW-1 Does not have a Does not have a Does not have a
documented, executable COTR-1 backup process or backup process or backup process or
process for backups? cannot describe the cannot provide cannot demonstrate
process = 0 documentation of backup process = 0
Question to Ask their backup process
1. Is the process manual or Can describe backup =0 Can demonstrate
automated? process = 1 the manual backup
Can provide process = 2
documentation of
the manual backup Can demonstrate
process = 1 the automated
backup process = 3
Can provide
documentation of
the automated
backup process = 2
Score
27
UNCLASSIFIED

29 Does the backup process COBR-1 Backup process does Backup process Backup process
include operating system files? not include operating does not include does not include
system files or operating system operating system
Question to Ask cannot describe files or cannot files or cannot
1. Is the process manual or process = 0 provide demonstrate process
automated? documentation of =0
Can describe backup process = 0
process & it includes Can demonstrate
operating system Can provide the manual backup
files = 1 documentation of process which
the manual backup includes operating
process which system files = 2
includes operating
system files = 1 Can demonstrate
the automated
Can provide backup process
documentation of which includes
the automated operating system
backup process files = 3
which includes
operating system
files = 2
Score
28
UNCLASSIFIED

30 Does the backup process CODB-1 Backup process does Backup process Backup process
include user data? not include user data does not include does not include
or cannot describe user data or cannot user data or cannot
Question to Ask process = 0 provide demonstrate process
1. Is the process manual or documentation of =0
automated? Can describe backup process = 0
process & it includes Can demonstrate
user data = 1 Can provide the manual backup
documentation of process = 2
the manual backup
process = 1
Can demonstrate
Can provide the automated
documentation of backup process = 3
the automated
backup process = 2
Score
29
UNCLASSIFIED

31 Is the backup process tested COED-1 Backup process is Backup process is Backup process is
on a regular basis? not tested on a not tested on a not tested on a
regular basis or regular basis or regular basis or
cannot describe test cannot provide cannot demonstrate
of backup process documentation of that backup process
=0 testing backup has been tested on a
process = 0 regular basis = 0
Can describe backup
process being tested Can provide Can demonstrate
on a regular basis documentation that that backup process
= 1 backup process is is tested on a
tested on a regular regular basis = 3
basis = 2
Score
30
UNCLASSIFIED

32 Are the results of the backup COED-1 Backup process Backup process Backup process
process verified? results are not results are not results are not
verified or cannot verified or cannot verified or cannot
describe verification provide demonstrate
process = 0 documentation of verification of
verification of backup process = 0
Can describe backups = 0
verification of Can demonstrate
backup process = 1 Can provide that backup process
documentation that results are verified
backup process =3
results are verified
=2
Score
31
UNCLASSIFIED

33 Are the backups stored off- COSW-1 Backup are not Backup are not Backup are not
site? stored off-site or stored off-site or stored off-site or
where backups are documentation that backups are
stored= 0 which requires stored off-site = 0
backups to be stored
Can describe off-site off-site = 0 Can demonstrate
storage of backups that backup are
= 1 Can provide stored off-site = 3
documentation that
backup are stored
off-site = 2
Score
32
UNCLASSIFIED

34 Does the vendor have a restore COSP-1 Does not have a Does not have Does not have a
and recovery process? COED-1 restore & recovery restore & recovery restore & recovery
COEF-1 process or cannot process or cannot process or cannot
Things to Consider CODP-1 describe their process provide demonstrate their
1. Restore & Recovery node =0 documentation of process = 0
2. High availability failover this process = 0
Question to Ask
1. Is the process manual or
restore & recovery Can provide manual restore &
automated? process = 1 documentation of recovery process =
manual restore & 2
recovery process = 1
Can demonstrate
Can provide automated restore
documentation of & recovery process
automated restore & =3
recovery process = 2
Score
33
UNCLASSIFIED

35 Is the restore and recovery COED-1 Does not test their Does not test their Does not test their
process tested on a regular CODP-1 restore & recovery restore & recovery restore & recovery
basis? COEF-1 process or cannot process or cannot process or cannot
COMS-1 describe testing their provide demonstrate this
process = 0 documentation of process = 0
this process = 0
Can describe testing Can demonstrate
of restore & recovery Can provide the testing of
process = 1 documentation of restore & recovery
the testing of process = 3
restore & recovery
process = 2
Score
34
UNCLASSIFIED

36 Have the results of the CODP-1 Results are not Results are not Results are not
recovery and restore process COEF-1 verified or cannot verified or cannot verified or cannot
been verified? describe verification provide demonstrate
process = 0 documentation of verification of
verification process results = 0
Can describe =0
verification of results
= 1 Can provide Can demonstrate
documentation that that results have
results have been been verified = 3
verified = 2
Score
35
UNCLASSIFIED

37 Does the application support a Application does not Application does not Application does
maximum number of have maximum have maximum not have maximum
concurrent users based on number of concurrent number of number of
contract requirements without users or cannot concurrent users or concurrent users or
impact to availability of describe maximum cannot provide cannot demonstrate
application? number of concurrent documentation of the maximum
users = 0 this number = 0 number of
Things to Consider concurrent users = 0
1. Scalability Can describe that Can provide
application does have documentation that Can demonstrate
a maximum number application has that application has
of concurrent users = maximum number maximum number
1 of concurrent users of concurrent users
but maximum but this maximum
number is not number is not
scalable = 1 scalable = 2

documentation that that application has
application has maximum number
maximum number of concurrent users
of concurrent users & this maximum
& maximum number is scalable
number is scalable =3
=2
Score
36
UNCLASSIFIED

38 Does the application limit the ECLO-1 Application does not Application does not Application does
maximum number of have a maximum have a maximum not have a
concurrent sessions per user? number of concurrent number of maximum number
sessions per user or concurrent sessions of concurrent
cannot describe per user or cannot sessions per user or
maximum number provide cannot demonstrate
=0 documentation = 0 the maximum
number sessions =
Can describe that Can provide 0
application has documentation that
maximum number of application has Can demonstrate
concurrent sessions maximum number that application has
per user = 1 of concurrent maximum number
sessions per user = 2 of concurrent
sessions per user
=3
Score
37
UNCLASSIFIED

39 Does the vendor have an COPS-1 Vendor does not Vendor does not Vendor does not
alternative power supply or have alternative or have alternative or have alternative or
uninterruptible power supply uninterruptible uninterruptible uninterruptible
in support of the application power supply or power supply or power supply or
and data transmissions? cannot describe cannot provide cannot demonstrate
alternative power documentation of this power supply =
supply = 0 power supply = 0 0
Can describe their Can provide Can demonstrate

alternative or documentation of alternative or
uninterruptible alternative or uninterruptible
power supply = 1 uninterruptible power supply = 3
power supply = 2
Score
38
UNCLASSIFIED

40 Does the vendor provide the Does not provide Does not provide Does not provide
appropriate level of appropriate appropriate appropriate
redundancy of all application redundancy or cannot redundancy or redundancy or
components based on contract describe redundancy cannot provide cannot demonstrate
requirements? =0 documentation of redundancy = 0
redundancy = 0
they provide Can provide appropriate
appropriate documentation of redundancy = 3
redundancy = 1 appropriate
redundancy = 2
Score
Vulnerability IA Description Documentation Demonstration

Control Criteria Criteria Criteria
41 Does the vendor utilize a Does not utilize Does not utilize Does not utilize
system performance system performance system performance system
monitoring tool to analyze tool or cannot tool or cannot performance tool
performance in real time? describe how they provide or cannot
use this tool = 0 documentation of demonstrate this
utilizing tool = 0 tool = 0
Can describe how
they utilize a system Can provide Can demonstrate a
performance tool = 1 documentation of a system
system performance performance tool
tool = 2 =3
Score
39
UNCLASSIFIED
Non-repudiation
42 Does the vendor use NIST DCNR-1 Does not use FIPS Does not use FIPS Does not use FIPS
FIPS 140-2 validated 140-2 or cannot 140-2 or cannot 140-2 or cannot
cryptography to implement describe how it used provide demonstrate use of
encryption, key exchange, in their application documentation of FIPS 140-2 = 0
digital signature, and hash? =0 using FIPS 140-2 in
their application = 0 Can demonstrate
Things to Consider Can describe how use of FIPS 140-2
1. Cryptography – DoD PKI they use FIPS 140-2 Can provide =3
class 3 or 4 token =1 documentation of
2. Encryption – AES, 3DES,
DES, Skipjack
FIPS 140-2 = 2
3. Key Exchange – FIPS 171
4. Digital Signature – DSA,
RSA, ECDSA
5. Hash – SHA-1, SHA-256,
SHA-384, SHA-512
Score
40
UNCLASSIFIED

43 Does the vendor perform ECAT-1 Does not perform Does not perform Does not perform
auditing? ECCD-1 auditing or cannot auditing or cannot auditing or cannot
ECRG-1 describe how they provide demonstrate
List of Items to be Included ECAR-2 perform auditing = 0 documentation auditing = 0
1. Operating System requiring auditing
2. Application Can describe their =0 Can demonstrate
3. Web Server
4. Web Services
auditing process = 1 auditing & auditing
5. Network Devices Can provide includes 1 – 2 of
6. Database documentation of listed items = 1
7. Wireless auditing & auditing
includes 1 – 3 of Can demonstrate
listed items = 1 auditing & auditing
includes 3 – 4 of
Can provide listed items = 2
documentation
auditing & auditing Can demonstrate
includes 4 – 7 of auditing & auditing
listed items = 2 includes 5 – 7 of
listed items = 3
Score
41
UNCLASSIFIED

44 Does the vendor audit both ECAT-1 Does not audit both Does not audit both Does not audit both
success and failure of logon ECRG-1 success & failure of success & failure of success & failure of
attempts to the application? ECAR-2 logon attempts to the logon attempts to logon attempts to
ECLO-1 application or cannot the application or application or
describe how they cannot provide cannot demonstrate
audit these events documentation of auditing of these
=0 auditing both events events = 0
=0
Can describe how Can demonstrate of
they audit both Can provide auditing both
success & failure of documentation of success & failure of
logon attempts to auditing both logon attempts to
application = 1 success & failure of application = 3
logon attempts to
application = 2
Score
42
UNCLASSIFIED

45 Does the vendor have a policy ECAT-1 Does not have policy Does not have Does not have
for reviewing audit logs? ECRG-1 for reviewing audit policy for reviewing policy for
ECAR-2 logs or cannot audit logs or cannot reviewing audit
Things to Consider describe their policy provide logs or cannot
1. Frequency of review (daily, =0 documentation of demonstrate policy
weekly) policy = 0 =0
Can describe their
policy for reviewing Can provide copy Can demonstrate
audit logs = 1 of policy for reviewing logs &
reviewing audit logs reviews are done
& reviews are less frequently than
completed less weekly = 1
frequently than
daily = 1 Can demonstrate
reviewing logs &
Can provide copy reviews are
of policy for completed weekly
reviewing audit logs or more frequently
& reviews are but less frequently
completed daily or than daily = 2
more frequently = 2
Can demonstrate
reviewing logs &
reviews are
completed daily or
more frequently = 3
Score
43
UNCLASSIFIED

46 What events does the vendor DCSL-1 Does not audit or Does not audit or Does not audit or
log? ECAT-1 vendor’s auditing vendor’s auditing vendor’s auditing
ECAR-2 does not include any does not include does not include
List of Items to be Included of the listed items or any of the listed any listed items or
1. Audit all failures cannot describe what items or cannot cannot demonstrate
2. Successful logon attempt events are audited provide events in log = 0
3. Failure of logon attempt
4. Permission Changes
=0 documentation of
5. Unsuccessful File Access events in log = 0 Can show audit log
6. Creating users & objects Can describe events & log contains 1 –
7. Deletion & modification of audited = 1 Can provide docu- 2 of listed items = 1
system files
mentation for
8. Registry Key/Kernal changes
auditing & it Can show audit log
includes auditing 1 & log contains 3 –
– 4 of items = 1 4 of listed items = 2
Can provide copy Can show audit log

of policy for & log contains 5 –
auditing & it 8 of listed items = 3
includes auditing 5
– 8 of items = 2
Score
44
UNCLASSIFIED

47 What events does the ECAT-1 Application does not Application does Application does
application log? ECCD-1 audit or cannot not audit or cannot not audit or cannot
describe what provide demonstrate what
List of Items to be Included application is documentation for application is
1. Startup & shutdown logging = 0 application auditing logging = 0
2. Authentication =0
3. Authorization/permission
granting
Can describe what Can show
4. Actions by trusted users application audit Can provide docu- application audit
5. Process invocation =1 mentation for log & log contains
6. Controlled access to data by application auditing 1 - 5 of listed items
individually authenticated & it includes =1
user
7. Unsuccessful data access
auditing 1 – 7 of
attempt listed items = 1 Can show
8. Data deletion application audit
9. Data transfer Can provide docu- log & log contains
10. Application configuration mentation for 6 - 10 of listed
change
11. Application of confidentiality
application auditing items = 2
or integrity labels to data & it includes
12. Override or modification of auditing 8 – 14 of Can show
data labels or markings listed items = 2 application audit
13. Output to removable media log & log contains
14. Output to a printer
11 - 14 of listed
items = 3
Score
45
UNCLASSIFIED
Protection
48 Does the vendor follow some DCCS-1 Follows no guidance Follows no Follows no
type of guidance to secure the ECND-1 for securing their guidance for guidance for
vendor computing and computing & securing their securing their
network infrastructure? network computing & computing &
infrastructure or network network
Things to Consider cannot describe what infrastructure or infrastructure or
1. Defense in Depth guidance they follow cannot provide cannot demonstrate
=0 documentation of guidance = 0
guidance = 0
Follows guidance for Can demonstrate
securing their Can provide copy their security
computing & of guidance but it guidance but it
network does not include does not include
infrastructure & can defense in depth = 1 defense in depth
describe what that =2
guidance is = 1 Can provide copy
of guidance & it Can demonstrate
includes defense in their security
depth = 2 guidance & it
includes defense in
depth = 3
Score
46
UNCLASSIFIED

49 Does the vendor employ a EBBD-2 Does not employ Does not employ Does not employ
firewall? ECND-1 firewall or cannot firewall or cannot firewall or cannot
describe their provide demonstrate
firewall = 0 documentation of employment of
employing firewall firewall = 0
Does employ =0
firewall & can Can demonstrate
describe their Can provide employment of
firewall = 1 documentation of firewall = 3
employment of
firewall = 2
Score
47
UNCLASSIFIED

50 Are the firewall ACLs set to ECND-1 Does not have Does not have Does not have
deny by default, allow by EBBD-2 firewall ACLs set to firewall ACLs set to firewall ACLs set
exception? deny by default, deny by default, to deny by default,
allow by exception allow by exception allow by exception
or cannot describe or cannot provide or cannot
their firewall ACLs documentation of demonstrate their
=0 firewall ACLs = 0 firewall ACLs = 0
Has firewall ACLs Can provide Can demonstrate

set to deny by documentation of firewall ACLs but
default, allow by firewall ACLs but they are not set to
exception & can they are not set to deny by default,
describe their ACLs deny by default, allow by exception
=1 allow by exception =2
=1
Can demonstrate
Can provide firewall ACLs &
documentation of they are set to deny
firewall ACLs & by default, allow by
they are set to deny exception = 3
by default, allow by
exception = 2
Score
48
UNCLASSIFIED

51 Does the vendor deploy and EBBD-2 Does not deploy & Does not deploy & Does not deploy &
monitor network intrusion ECND-1 monitor network monitor network monitor network
detection tools? intrusion detection intrusion detection intrusion detection
tools = 0 tools = 0 tools = 0
Vendor does deploy Can provide Can demonstrate

& monitor network documentation for that network
intrusion detection deploying & intrusion detection
tools = 1 monitoring network tools have been
intrusion detection deployed & are
tools = 2 monitored = 3
Score
49
UNCLASSIFIED

52 Does the vendor deploy and EBBD-2 Does not deploy & Does not deploy & Does not deploy &
monitor host-based intrusion ECND-1 monitor host-based monitor host-based monitor host-based
detection tools? intrusion detection intrusion detection intrusion detection
tools or cannot tools or cannot tools or cannot
describe their use of provide demonstrate their
HIDs= 0 documentation of HIDs = 0
deployment &
Can describe their monitoring = 0 Can demonstrate
use of host-based that host-based
intrusion detection Can provide intrusion detection
tools = 1 documentation for tools have been
deploying & deployed & are
monitoring host- monitored = 3
based intrusion
detection tools = 2
Score
50
UNCLASSIFIED

53 Does the vendor have strong DCBP-1 Does not have strong Does not have Does not have
two-factor authentication for two-factor strong two-factor strong two-factor
management/admin traffic? authentication for authentication for authentication for
management/admin management/admin management/admin
Things to Consider traffic or cannot traffic or cannot traffic or cannot
1. Something you have describe their two- provide demonstrate two-
2. Something you are factor authentication documentation of factor
3. Something you know
=0 their strong two- authentication = 0
factor
Can describe their authentication = 0 Can demonstrate
strong two-factor strong two-factor
authentication for Can provide authentication for
management/admin documentation for management/admin
traffic = 1 strong two-factor traffic = 3
authentication for
management/admin
traffic = 2
Score
51
UNCLASSIFIED

54 Does the vendor have a patch ECND-1 Does not have patch Does not have patch Does not have
management process? management process management patch management
or cannot describe process or cannot process or cannot
their process = 0 provide demonstrate patch
documentation for management
Can describe their patch management process = 0
patch management process = 0
process = 1 Can demonstrate
Can provide patch management
documentation for process = 3
patch management
process = 2
Score
52
UNCLASSIFIED

55 What is the vendor’s patch DCCT-1 Does not have patch Does not have patch Does not have a
management process? ECND-1 management process management patch management
Question to Ask their patch provide demonstrate their
1. Does the vendor subscribe to management process documentation of patch management
the application vendor =0 their patch process = 0
hardware/software
notification sites for the latest
management
patch notifications? Vendor can describe process = 0 Can demonstrate
2. Is there a schedule for their patch their patch
applying patches? management process Can provide management
3. Are patches tested before =1 documentation of process & it
applying to productions?
4. Is the severity of the
their patch addresses 1 – 2 of
vulnerability considered management questions = 2
during determination of the process & it
timeliness of applying the addresses 1 – 2 of Can demonstrate
patch? questions = 1 their patch
management
Can provide process & it
documentation of addresses 3 - 4 of
their patch questions = 3
management
process & it
addresses 3 - 4 of
questions = 2
Score
53
UNCLASSIFIED

56 Does the vendor have a DCCT-1 Does not have Does not have Does not have
verification process for ECMT-1 \verification process verification process verification process
ensuring patches have been or cannot describe or cannot provide or cannot
applied? their verification documentation of demonstrate
process = 0 verification process patches have been
=0 applied = 0
Can describe their
verification process Can provide Can demonstrate
=1 documentation patches have been
which requires applied = 3
verification that
patches have been
applied = 2
Score
54
UNCLASSIFIED

57 Does the vendor perform ECMT-1 Does not perform Does not perform Does not perform
security self-assessments on a self-assessments or self-assessments or self-assessments or
regular basis? cannot describe self- cannot provide cannot demonstrate
assessment process documentation of their self-
Question to Ask =0 self-assessment assessment process
1. How often does the vendor requirement = 0 =0
perform self-assessments? Does perform self-
assessments = 1 Can provide Can demonstrate
documentation self-assessments
requiring self- are performed &
assessments to be they are completed
performed less less frequently than
frequently than monthly = 2
monthly = 1
Can demonstrate
Can provide self-assessments
documentation are performed &
requiring self- they are completed
assessments to be monthly or more
performed monthly frequently = 3
or more frequently
=2
Score
55
UNCLASSIFIED

58 Are self-assessment results ECMT-1 Does not review Does not review Does not review
reviewed on a regular basis? self-assessment self-assessment self-assessment
results or cannot results or cannot results or cannot
describe review or provide demonstrate review
self-assessment documentation of of self-assessment
results = 0 review of results results = 0
=0
Can describe review Can demonstrate
self-assessment Can provide review of self-
results = 1 documentation assessment results
which requires =3
review of self-
assessment results
=2
Score
56
UNCLASSIFIED

59 Does the vendor require PECS-1 Does not require Does not require Does not require
sanitation of equipment and sanitation of sanitation of sanitation of
media prior to disposal? equipment & media equipment & media equipment & media
prior to disposal or prior to disposal or prior to disposal or
sanitation process documentation of sanitation = 0
=0 sanitation = 0
Can demonstrate
Can describe the Can provide sanitation of
sanitation of documentation of equipment & media
equipment & media sanitation of prior to disposal =
prior to disposal = 1 equipment & media 3
prior to disposal = 2
Score
57
UNCLASSIFIED

60 Does the vendor’s security DCHW-1 Does not have Does not have Does not have
policy and process contain DCID-1 guidance for guidance for guidance for
guidance for maintaining and DCSL-1 baseline baseline baseline
monitoring a baseline ECMT-1 configuration or configuration or configuration or
configuration? cannot describe their cannot provide cannot demonstrate
baseline documentation of baseline
configuration = 0 guidance = 0 configurations = 0
Can describe their Can provide Can demonstrate

guidance for documentation of baseline
baseline baseline configuration = 3
configuration = 1 configuration = 2
Score
58
UNCLASSIFIED

61 Does the vendor have a DCHW-1 Does not have Does not have Does not have
process in place to routinely ECMT-1 process for routinely process for process for
verify baseline configuration? verifying baseline routinely verifying routinely verifying
configuration or baseline baseline
cannot describe configuration or configuration or
process = 0 cannot provide cannot demonstrate
process the process= 0
Can describe documentation = 0
process for routinely Can demonstrate
verifying baseline Can provide process process for
configuration = 1 documentation verifying baseline
which requires configuration = 3
routine verification
of baseline
configuration = 2
Score
59
UNCLASSIFIED

62 Does the vendor employ a DCHW-1 Does not employ Does not employ Does not employ
baseline configuration tool? DCID-1 baseline baseline baseline
configuration tool or configuration tool configuration tool
cannot describe their or cannot provide or cannot
baseline documentation of demonstrate
configuration tool employment of a employment of
=0 baseline baseline
configuration tool configuration tool
Can describe =0 =0
employment of
baseline Can provide Can demonstrate
configuration tool documentation using a baseline
=1 which requires configuration tool
using a baseline =3
configuration tool
=2
Score
60
UNCLASSIFIED
Detection
63 Does the vendor’s security ECMT-1 Does not contain Does not contain Does not contain
policy contain guidance for VIVM-1 guidance for guidance for guidance for
regularly scheduled routine regularly scheduled regularly scheduled regularly scheduled
security audits performed by routine security routine security routine security
an external party? audits performed by audits performed by audits performed
an external party or external party or by external party or
List of Items to be Included cannot describe cannot provide cannot demonstrate
1. Operating Systems policy = 0 documentation of policy = 0
2. Web Servers policy = 0
3. Browsers
4. Web Services
Can describe Can demonstrate
5. Database security policy & it Can provide a copy security policy
6. Network sensors contain guidance for of security policy which requires
7. Firewalls regularly scheduled which requires routine security
8. Applications routine security routine security audits performed
9. Wireless
audits performed by audits performed by by external party
an external party = 1 external party but but policy includes
policy does not only operating
include all of listed systems = 1
items = 1
Can demonstrate
Can provide a copy security policy
of security policy which requires
which requires routine security
routine security audits performed
audits performed by by external party
external party & but policy includes
61
UNCLASSIFIED
policy does include operating systems

all of listed items = but not all of listed
2 items = 2
Can demonstrate
security policy
which requires
routine security
audits performed
by external party &
policy includes all
of listed items = 3
Score
62
UNCLASSIFIED

64 Does the vendor perform ECMT-1 Does not perform Does not perform Does not perform
verification of their perimeter verification of their verification of their verification of their
router policies? perimeter router perimeter router perimeter router
policies or cannot policies or cannot policies or cannot
Question to Ask describe verification provide demonstrate
1. How often does the vendor process = 0 documentation of verification = 0
perform verification of their verification = 0
perimeter router policies?
verification of their Can provide verification of their
perimeter router documentation perimeter router
policies = 1 which requires policies &
performing verification is done
verification of less frequently than
perimeter router quarterly = 1
policies less
frequently than Can demonstrate
monthly = 1 verification of their
perimeter router
Can provide policies &
documentation verification is done
which requires quarterly or less
performing frequently than
verification of monthly = 2
perimeter router
policies monthly or Can demonstrate
more frequently verification of their
than monthly = 2 perimeter router
policies &
63
UNCLASSIFIED
verification is done
monthly or more
frequently than
monthly = 3
Score

65 Is the vendor firewall or ECAT-2 Firewall/Network Firewall/Network Firewall/Network
network sensor configured to sensor is not sensor is not sensor is not
alert for unauthorized access configured to alert or configured to alert configured to alert
attempts and privilege cannot describe how or cannot provide or cannot
escalation? firewall/network documentation on demonstrate how
sensor is configured how firewall/network
to alert = 0 firewall/network sensor is
sensor is configured configured to alert
Can describe how to alert = 0 =0
firewall/network
sensor is configured Can provide Can demonstrate
to alert for documentation on how
unauthorized access how firewall/network
attempts & privilege firewall/network sensor is
escalation = 1 sensor is configured configured to alert
to alert = 2 =3
Score
64
UNCLASSIFIED

66 Does the vendor routinely DCID-1, Does not routinely Does not routinely Does not routinely
check that no new ports, DCPP-1 check that no PPS check that no PPS check that no PPS
protocols, or services are are activated without are activated are activated
activated without approval by approval or cannot without approval or without approval or
the configuration describe checking cannot provide cannot
management board? process = 0 documentation of demonstration of
checking process checking process
Can describe process = 0 =0
for routinely
checking that no new Can provide Can demonstrate
PPS are activated documentation for checking that no
without approval routinely checking new PPS are
=1 that no new PPS are activated without
activated without approval = 3
approval = 2
Score
65
UNCLASSIFIED

67 Does the vendor comply with DCID-1 Does not comply Does not comply Does not comply
DoD ports, protocols, and DCPP-1 with the PPS with the PPS with the PPS
services guidance? guidance or cannot guidance or cannot guidance or cannot
describe how they do provide demonstrate how
comply = 0 documentation on they do comply = 0
how they do
Can describe how comply = 0 Can demonstrate on
they comply with the how they do
PPS guidance = 1 Can provide comply = 3
documentation on
how they do
comply = 2
Score
66
UNCLASSIFIED

68 Does the vendor’s security ECMT-1 Does not require Does not require Does not require
policy require routine review routine review of routine review of routine review of
of HIDs, NIDs, and firewall HIDs, NIDs, & HIDs, NIDs, & HIDs, NIDs, &
rules for accuracy, efficiency firewall rules or firewall rules or firewall rules or
and their ability to withstand cannot describe cannot provide cannot
new attacks? policy with this policy with this demonstrate the
requirement = 0 requirement = 0 policy with this
Question to Ask requirement = 0
1. How often are reviews Can describe how Can provide
completed? they routine review documentation on Can demonstrate
HIDs, NIDs, & how they routine how they routinely
firewall rules = 1 review HIDs, NIDs, review HIDs,
& firewall rules but NIDs, & firewall
review is performed rules but review
less frequently than occurs less
monthly = 1 frequently than
quarterly = 1
Can provide
documentation on Can demonstrate
how they routine how they routinely
review HIDs, NIDs, review HIDs,
& firewall rules but NIDs, & firewall
review is performed rules but review
monthly or more occurs quarterly or
frequently than more frequently
monthly = 2 than quarterly but
less frequently than
monthly = 2
67
UNCLASSIFIED
Can demonstrate
how they routinely
review HIDs,
NIDs, & firewall
rules but review
occurs monthly or
more frequently
than monthly = 3
Score
68
UNCLASSIFIED
Reaction
69 Does the vendor have a VIIR-1 Does not have Does not have Does not have
documented Incident documented Incident documented documented
Response Program? Response Program Incident Response Incident Response
or cannot describe Program or cannot Program or cannot
Incident Response provide demonstrate the
Program = 0 documentation of Incident Response
Incident Response Program = 0
Can describe Program = 0
Incident Response Can demonstrate
Program = 1 Can provide Incident Response
documentation of Program = 3
the Incident
Response Program
=2
Score
69
UNCLASSIFIED

70 Does the vendor have a VIIR-1 Does not have Does not have Does not have
Response policy? Response policy or Incident Response Incident Response
cannot describe policy or Incident policy or Incident
List of Items to be Included Incident Response Response policy Response policy
1. Statement of management policy = 0 does not include does not include
commitment any of listed items any of listed items
2. Purpose & objectives of
policy
Can describe or cannot provide or cannot
3. Scope of policy Incident Response Incident Response demonstrate
4. Definition of computer policy = 1 policy = 0 Incident Response
incident & their policy = 0
consequences Can provide
5. Organizational structure
6. Roles, responsibilities & level
Incident Response Can demonstrate
of authority policy & it includes Incident Response
7. Prioritization or severity rating 1 – 5 of listed items policy & it includes
of incident =1 1 – 3 of listed items
8. Performance measures
9. Methods of secure
=1
communication Can provide
10. Reporting & contract forms Incident Response Can demonstrate
policy & it includes Incident Response
6 – 10 of listed policy & it includes
items = 2 4 – 7 of listed items
=2
Can demonstrate
Incident Response
policy & it includes
8 – 10 of listed
70
UNCLASSIFIED
items = 3
Score
71
UNCLASSIFIED

71 Does the vendor have VIIR-1 Does not have Does not have Does not have
Response procedures? Response procedures Incident Response Incident Response
or cannot describe procedures or procedures or
List of Items to be Included Incident Response cannot provide cannot demonstrate
1. Standard Operating procedures = 0 documentation of Incident Response
Procedures (SOP) Incident Response procedures = 0
2. Identification of incident
3. Reporting of incident
Can describe procedures = 0
4. Actions to be taken Incident Response Can demonstrate
5. Containment of incident procedures = 1 Can provide Incident Response
6. Eradication of incident Incident Response procedure & it
7. Recovery of incident procedures & it includes 1 – 5 of
8. Contact Information
a. Internal parties
includes 1 – 7 of listed items = 1
b. External parties listed items = 1
9. List of threats to guard against & Can demonstrate
respond to
Can provide Incident Response
10. Incident reporting forms
(internal) Incident Response procedure & it
11. Incident reporting forms procedures & it includes 6 – 10 of
(External) includes 8 – 15 of listed items = 2
12. Equipment List
listed items = 2
13. Checklists
Can demonstrate
Incident Response
procedure & it
includes 11 – 15 of
listed items = 3
Score
72
UNCLASSIFIED

72 Are the Incident Response VIIR-1 Are not published in Are not published Are not published
procedures published in hard hard copy or cannot in hard copy or in hard copy or
copy? describe requirement cannot provide cannot demonstrate
for publishing in documentation of publishing in hard
hard copy = 0 requirement for copy = 0
publishing in hard
Can describe copy = 0 Can demonstrate
requirement for publishing hard
Incident Response Can provide hard copy of Incident
procedures to be copy of the Incident Response
published in hard Response procedures = 3
copy = 1 procedures = 2
Score
73
UNCLASSIFIED

73 Are the Incident Response VIIR-1 Are not published on Are not published Are not published
procedures published on the Intranet or some on Intranet or some on Intranet or some
Intranet or some shared shared media or shared media or shared media or
media? cannot describe cannot provide cannot demonstrate
requirement for documentation of that procedures are
publishing on requirement for published on
Intranet or some publishing on Intranet or some
shared media = 0 Intranet or some shared media = 0
shared media = 0
Are published on Can demonstrate
Intranet or some Can provide that procedures are
shared media = 1 documentation of published on
requirement for Intranet or some
publishing on shared media = 3
Intranet or some
shared media = 2
Score
74
UNCLASSIFIED

74 Is the Incident Response VIIR-1 Is not reviewed & Is not reviewed & Is not reviewed &
policy reviewed and updated updated or cannot updated or cannot updated or cannot
on a regular basis? describe process for describe process for demonstrate
reviewing & reviewing & process for
Question to Ask updating policy = 0 updating policy = 0 reviewing &
1. How often is the review an updating policy = 0
update? Can describe how Can describe
policy is reviewed & process for Can demonstrate
updated = 1 reviewing & process for
updating policy & reviewing &
process performed updating policy &
less frequently than process has been
yearly = 1 performed less
frequently than
Can describe yearly = 2
process for
reviewing & Can demonstrate
updating policy & process for
process performed reviewing &
yearly or more updating policy &
frequently than process has been
yearly = 2 performed yearly or
more frequently
than yearly = 3
Score
75
UNCLASSIFIED

75 Is initial Incident Response PECF-1 Is not provided to Is not provided to Is not provided to
training provided to user PRRB-1 users or cannot users or cannot users or cannot
community? VIIR-1 describe the provide demonstrate
requirement for documentation of providing initial
providing initial providing initial training to user = 0
training to user = 0 training to user = 0
Can demonstrate
Can describe their Can provide providing initial
requirement for documentation of Incident Response
providing initial providing initial training to user = 3
Incident Response Incident Response
training to user = 1 training to user = 2
Score
76
UNCLASSIFIED

76 Is refresher Incident PECF-1 Is not provided to Is not provided to Is not provided to
Response training provided PRRB-1 users or cannot users or cannot users or cannot
periodically to user VIIR-1 describe requirement provide demonstrate
community? for providing documentation of providing refresher
refresher training to providing refresher training to user = 0
Question to Ask user = 0 training to user = 0
1. How often is training Can demonstrate
provided? Can describe Can provide providing refresher
requirement for documentation of Incident Response
providing refresher providing refresher training to user &
Incident Response Incident Response training is provided
training to user = 1 training to user & less frequently than
training is provided yearly = 2
yearly = 1 Can demonstrate
providing refresher
Can provide Incident Response
documentation of training to user &
providing refresher training is provided
Incident Response yearly or more
training to user & frequently than
training is provided yearly = 3
yearly or more
frequently than
yearly = 2
Score
77
UNCLASSIFIED

77 Is there an Incident Response VIIR-1 Does not have Does not have Does not have
reporting mechanism in Incident Response Incident Response Incident Response
place? reporting mechanism reporting reporting
or cannot describe mechanism or mechanism or
List of Items to be Included Incident Response cannot provide cannot demonstrate
1. Who discovered the incident reporting mechanism documentation of Incident Response
2. How incident was recognized =0 Incident Response reporting
3. Nature of incident
4. When did the incident occur
reporting mechanism = 0
5. When was the incident Can describe mechanism = 0
detected Incident Response Can demonstrate
6. What is the impact to clients reporting mechanism Can provide reporting
7. Who was involved =1 documentation of mechanism & it
8. What evidence was recovered
9. Where did the incident occur
Incident Response includes 1 – 6 of
10. Affected computer reporting listed items = 1
information mechanism & it
11. Why it happened includes 1 – 8 of Can demonstrate
12. How it occurred listed items = 1 reporting
13. Team activities
14. Who was notified
mechanism & it
a. Internal Can provide includes 7 – 11 of
b. External documentation of listed items = 2
15. Resolution Incident Response
reporting Can demonstrate
mechanism & it reporting
includes 8 - 16 of mechanism & it
listed items = 2 includes 12 – 16 of
listed items = 3
Score
78
UNCLASSIFIED

78 Is the Incident Response VIIR-1 Is not database, Is not database, Is not provided to
reporting mechanism on a paper, or both or paper, or both or users or cannot
computer database, paper, or cannot describe their cannot provide demonstrate
both? requirement for documentation of providing initial
reporting mechanism their requirement training to user = 0
to be on database, for reporting
paper, or both = 0 mechanism to be on Can demonstrate
database, paper, or reporting
Can describe their both = 0 mechanism to be
requirement for on paper only = 1
reporting mechanism Can provide
to be on database, documentation of Can demonstrate
paper, or both = 1 reporting reporting
mechanism to be on mechanism to be
paper only = 1 on database only
=2
Can provide
documentation of Can demonstrate
requirement for reporting
reporting mechanism to be
mechanism to be on on paper &
paper & database database = 3
=2
79
UNCLASSIFIED

79 Are the Incident Response VIIR-1 Are not sent to Are not sent to Are not sent to
reports sent to management management on management on management on
on a regular basis? regular basis or regular basis or regular basis or
cannot describe how cannot provide cannot demonstrate
Question to Ask reports are sent to documentation of requirement for
1. How often are reports sent to management on requirement for reports to be sent to
management? regular basis = 0 reports to be sent to management on
management on regular basis = 0
Can describe how regular basis = 0
reports are sent to Can demonstrate
management on Can provide requirement for
regular basis = 1 documentation of reports to be sent to
requirement for management on
reports to be sent to regular basis &
management on reports are sent
regular basis & yearly or less
reports are sent less frequently than
frequently than yearly = 1
monthly = 1
Can demonstrate
Can provide requirement for
documentation of reports to be sent to
requirement for management on
reports to be sent to regular basis &
management on reports are sent
regular basis & quarterly or less
reports are sent frequently than
monthly or more quarterly but more
80
UNCLASSIFIED
frequently than frequently than

monthly = 2 yearly = 2
Can demonstrate
requirement for
reports to be sent to
management on
regular basis &
reports are sent
monthly or less
frequently than
monthly but more
frequently than
quarterly = 3
Score
81
UNCLASSIFIED

80 Are the Incident Response VIIR-1 Are not tested Are not tested Are not tested
procedures tested periodically periodically or periodically or periodically or
through exercises or cannot describe how cannot provide cannot demonstrate
simulations? procedures are not documentation on how procedures are
tested periodically how procedures are tested periodically
Question to Ask =0 tested periodically =0
1. How often are the procedures =0
tested? Can describe how Can demonstrate
procedures are tested Can provide how procedures are
periodically = 1 documentation on tested periodically
how procedures are & procedures are
tested periodically tested & procedures
& procedures are are tested yearly or
tested less less frequently than
monthly = 1
Can demonstrate
Can provide how procedures are
documentation on tested & procedures
how procedures are are tested quarterly
tested periodically or less frequently
& procedures are than quarterly but
tested monthly or more frequently
more frequently than yearly = 2
than monthly = 2
Can demonstrate
how procedures are
tested & procedures
82
UNCLASSIFIED
are tested monthly

or less frequently
than monthly but
more frequently
than quarterly = 3
Score
83
UNCLASSIFIED

81 Does the Incident Response VIIR-1 Does not have Does not have Does not have
Team include members from members from all members from all members from all
all key functional areas? key functional areas key functional areas key functional
or cannot describe or cannot provide areas or cannot
List of Items to be Included who is on the documentation for demonstrate who is
1. Senior Management Incident Response who is on Team = 0 on Team = 0
2. Human Resources/Personnel Team = 0
3. Information
Technology/Information
Security Can describe who is documentation of who is on the
4. Technical Staff Members on the Incident who is on the Incident Response
5. Budget or Finance Response Team = 1 Incident Response Team & it includes
Team & it includes 1 – 2 of the listed
1 – 3 of the listed items = 1
items = 1
Can demonstrate
Can provide who is on the
documentation of Incident Response
who is on the Team & it includes
Incident Response 3 -4 of the listed
Team & it includes items = 2
4 - 5 of the listed
items = 2 Can demonstrate
who is on the
Incident Response
Team & it includes
5 of the listed items
=3
Score
84
UNCLASSIFIED
Configuration Management
82 Does the configuration DCID-1 Does not exist or it Does not exist or it Does not exist or it
management plan include DCII-1 does not include all does not include all does not include all
hardware, operating system, DCPR-1 of the items or of the items or of the items or
utility software, cannot describe the cannot provide cannot demonstrate
communication, network configuration documentation of the configuration
device changes, application management plan the configuration management plan
and facilities? =0 management plan =0
=0
Can describe the Can demonstrate
configuration Can provide the configuration
management plan & documentation of management plan
it includes all of the the configuration =3
items = 1 management plan
=2
Score
85
UNCLASSIFIED

83 Does the configuration DCCB-1 Does not have Does not have Does not have
management plan contain the DCII-1 configuration configuration configuration
necessary items? DCPR-1 management plan or management plan or management plan
cannot describe cannot provide or cannot
List of Items to be Included configuration documentation of demonstrate plan
1. Identify the configuration management plan configuration =0
change =0 management plan
2. Contain an approval process
3. Review the configuration
=0 Can demonstrate
change Can describe configuration
4. Schedule the configuration configuration Can provide management plan
change management plan documentation of & it includes 1 – 4
5. Track the implementation of =1 configuration of listed items = 1
the configuration change
6. Track system impact of the
management plan
configuration change & it includes 1 – 5 Can demonstrate
7. Record & report of listed items = 1 configuration
configuration change to the management plan
appropriate party Can provide & it includes 5 -8
8. Back out plan if the
configuration change does
documentation of of listed items = 2
not work as planned configuration
9. Provide for minutes of the management plan Can demonstrate
meeting & it includes 6 - 11 configuration
10. Emergency change of listed items = 2 management plan
procedures
& it includes 9 - 11
11. List of team members from
key functional areas of listed items = 3
Score
86
UNCLASSIFIED

84 Is the configuration DCCB-1 Does not have Does not have Does not have
management process DCII-1 configuration configuration configuration
automated or manual? DCPR-1 management process management management
configuration provide demonstrate
management process documentation of configuration
=0 configuration management
management process = 0
Can describe process = 0
configuration Can demonstrate
management process Can provide configuration
=1 documentation of management
configuration process & process
management is manual = 2
process & process
is manual = 1 Can demonstrate
configuration
Can provide management
documentation of process & process
configuration is automated = 3
management
process & process
is automated = 2
Score
87
UNCLASSIFIED
Vulnerability Management
85 Does the vendor’s security VIVM-1 Does not require Does not require Does not require
policy contain guidance for regularly scheduled regularly scheduled regularly scheduled
regularly scheduled internal internal vulnerability internal internal
vulnerability audits? audits or cannot vulnerability audits vulnerability audits
describe the or cannot describe or cannot describe
Question to Ask requirement = 0 the requirement = 0 the requirement = 0
1. How often are vulnerability
audits performed? Can describe the Can provide Can demonstrate
requirement for documentation requirement for
regularly scheduled which requires regularly scheduled
vulnerability audits regularly scheduled vulnerability audits
=1 internal & audits are
vulnerability audits performed yearly or
& audits are less frequently than
performed less yearly = 1
frequently than
monthly = 1 Can demonstrate
requirement for
Can provide regularly scheduled
documentation vulnerability audits
which requires & audits are
regularly scheduled performed
internal quarterly or less
vulnerability audits frequently than
& audits are quarterly but more
performed monthly frequently than
88
UNCLASSIFIED
or more frequently yearly = 2

than monthly = 2
Can demonstrate
requirement for
regularly scheduled
vulnerability audits
& audits are
performed monthly
or less frequently
than monthly but
more frequently
than quarterly = 3
Score
89
UNCLASSIFIED

86 Does the vendor utilize a VIVM-1 Does not utilize Does not utilize Does not utilize
network vulnerability network network network
scanner? vulnerability scanner vulnerability vulnerability
or cannot describe scanner or cannot scanner or cannot
Question to Ask how their scanner is provide demonstrate how
1. How often is the network used = 0 documentation of their scanner is
scanned? how their scanner is used = 0
Can describe how used = 0
their scanner is used Can demonstrate
=1 Can provide how their scanner
documentation of is used & scans are
how their scanner is performed yearly or
used & scans are less frequently than
performed less yearly = 1
frequently than
how their scanner
Can provide is used & scans are
documentation of performed
how their scanner is quarterly or less
used & scans are frequently than
performed monthly quarterly but more
or more frequently frequently than
than monthly = 2 yearly = 2
Can demonstrate
how their scanner
is used & scans are
90
UNCLASSIFIED
performed monthly
or less frequently
than monthly but
more frequently
than quarterly = 3
Score
91
UNCLASSIFIED

87 Are the results of the network VIVM-1 Are not sent to Are not sent to Are not sent to
vulnerability scans sent to management or management or management or
management on a regular cannot describe the cannot provide cannot demonstrate
basis? requirement for documentation of the requirement for
network the requirement for network
vulnerability scan network vulnerability scan
results to be sent to vulnerability scan results to be sent to
management = 0 results to be sent to management = 0
management = 0
requirement for Can provide network
network documentation of vulnerability scan
vulnerability scan the requirement for results to be sent to
results to be sent to network management = 3
management = 1 vulnerability scan
results to be sent to
management = 2
Score
92
UNCLASSIFIED

88 Is there a process in place to VIVM-1 Does not have Does not have Does not have
regularly correct discovered process to correct process to correct process to correct
vulnerabilities and discovered discovered discovered
configuration discrepancies? vulnerabilities & vulnerabilities & vulnerabilities &
configuration configuration configuration
discrepancies or discrepancies or discrepancies or
cannot describe the cannot provide cannot demonstrate
process to correct documentation of process to correct
discovered process to correct discovered
vulnerabilities & discovered vulnerabilities &
configuration vulnerabilities & configuration
discrepancies = 0 configuration discrepancies = 0
discrepancies = 0
Can describe process Can demonstrate
to correct discovered Can provide process to correct
vulnerabilities & documentation of discovered
configuration process to correct vulnerabilities &
discrepancies = 1 discovered configuration
vulnerabilities & discrepancies = 3
configuration
discrepancies = 2
Score
93
UNCLASSIFIED

89 Does the vendor have a VIVM-1 Does not have Does not have Does not have
verification process for process for ensuring process for ensuring process for
ensuring vulnerabilities and vulnerabilities & vulnerabilities & ensuring
configuration discrepancies configuration configuration vulnerabilities &
have been corrected? discrepancies have discrepancies have configuration
been corrected or been corrected or discrepancies have
cannot describe cannot provide been corrected or
correction process documentation of cannot demonstrate
=0 correction process correction process
=0 =0
Can describe the
vulnerability & Can demonstrate
configuration Can provide corrections have
discrepancy documentation of been made = 3
correction process the correction
=1 process = 2
Score
94
UNCLASSIFIED

90 Does the vendor routinely run VIVM-1 Does not utilize port Does not utilize Does not utilize
a port scanning tool to ensure scanner to ensure no port scanner to port scanner to
no new or unexpected ports, new or unexpected ensure no new or ensure no new or
protocols, or services are PPS are discovered unexpected PPS are unexpected PPS are
discovered? or cannot describe discovered or discovered or
how their scanner is cannot provide cannot demonstrate
Question to Ask used = 0 documentation of how their scanner
1. How often are ports requirement to use a is used = 0
scanned? Can describe how port scanner = 0
their scanner is used Can demonstrate
=1 Can provide how their scanner
documentation of is used & scans are
requirement to use performed yearly or
port scanner & less frequently than
scans are performed yearly = 1
how their scanner
Can provide is used & scans are
documentation of performed
requirement to use quarterly or less
port scanner & frequently than
scans are performed quarterly but more
monthly or more frequently than
monthly = 2
Can demonstrate
how their scanner
95
UNCLASSIFIED
is used & scans are

performed monthly
or less frequently
than monthly but
more frequently
than quarterly = 3
Score

91 Is the vendor’s application DCPP-1 Is not compliant with Is not compliant Is not compliant
compliant with the DoD Ports, the PPS CAL or with PPS CAL or with PPS CAL or
Protocols, and Services CAL? cannot describe how cannot describe cannot describe
they are compliant how they are how they are
=0 compliant = 0 compliant = 0
Can describe how Can provide Can demonstrate

they are compliant documentation of they are compliant
with the PPS CAL compliancy with the with the PPS CAL
=1 PPS CAL = 2 =3
Score
96
UNCLASSIFIED

92 Are the results of the port VIVM-1 Are not sent to Are not sent to Are not sent to
scans sent to management on management or management or management or
a regular basis? cannot describe cannot provide cannot demonstrate
requirement for ports documentation of requirement for
scan results to be the requirement for port scan results to
sent to management port scan results to be sent to
=0 be sent to management = 0
management = 0
requirement for port Can provide port scan results to
scan results to be documentation of be sent to
sent to management the requirement for management = 3
=1 port scan results to
be sent to
management = 2
Score

93 What ports, protocols, and DCPP-1 Note PPS and
services are necessary for VIVM-1 Compliance
access to the application from statement here:
outside the local enclave?
Score
97
UNCLASSIFIED

94 Does the vendor routinely run VIVM-1 Does not utilize web Does not utilize Does not utilize
a web-scanning tool to check scanner to check for web scanner to web scanner to
for new web vulnerabilities? new web check for new web check for new web
vulnerabilities or vulnerabilities or vulnerabilities or
cannot describe how cannot provide cannot demonstrate
their web scanner is documentation of how their web
used = 0 requirement to scan scanner is used = 0
web = 0
their web scanner is Can provide how their web
used = 1 documentation of scanner is used &
requirement to scan scans are
web & scans are performed yearly or
performed less less frequently than
monthly = 1
Can demonstrate
Can provide how their web
documentation of scanner is used &
requirement to scan scans are
web & scans are performed
performed monthly quarterly or less
or more frequently frequently than
than monthly = 2 quarterly but more
frequently than
yearly = 2
Can demonstrate
98
UNCLASSIFIED
how their web

scanner is used &
scans are
performed monthly
or less frequently
than monthly but
more frequently
than quarterly = 3
Score
99
UNCLASSIFIED

95 Are the results of the web VIVM-1 Are not sent to Are not sent to Are not sent to
scans sent to management on management or management or management or
a regular basis? cannot describe cannot provide cannot demonstrate
requirement for web documentation of requirement for
scan results to be requirement for web web scan results to
sent to management scan results to be be sent to
=0 sent to management management = 0
=0
requirement for web Can provide web scan results are
scan results to be documentation of sent to management
sent to management requirement for web = 3
=1 scan results to be
sent to management
=2
Score
100
UNCLASSIFIED

96 Does the vendor routinely run VIVM-1 Does not utilize Does not utilize Does not utilize
a password checking tool? password checking password checking password checking
tool or cannot tool or cannot tool or cannot
Questions to Ask describe how their provide demonstrate how
1. How frequently is the password checking documentation of their password
password checking tool run? tool works = 0 requirement for tool checking tool
2. Are they using non-DoD PKI
or DoD PKI?
=0 works = 0
Can describe how
their password Can provide Can demonstrate
checking tool works documentation of how their password
=1 requirement for checking tool
password checking works & it is run
tool & it is run less less frequently than
frequently than monthly or they are
monthly or they are using non-DoD
using non-DoD PKI= 2
PKI= 1
Can demonstrate
Can provide how their password
documentation of checking tool
requirement for works & it is run
password checking monthly or more
tool & it is run frequently than
monthly or more monthly or they are
frequently than using DoD PKI = 3
monthly or they are
using DoD PKI = 2
Score
101
UNCLASSIFIED

97 Are the results of the VIVM-1 Are not sent to Are not sent to Are not sent to
password checking tool sent management or management or management or
to management on a regular cannot describe cannot provide cannot demonstrate
basis? requirement for documentation of requirement for
password checking requirement for password checking
results to be sent to password checking results to be sent to
management = 0 results to be sent to management = 0
management = 0
requirement for Can provide password checking
password checking documentation of results are sent to
results to be sent to requirement for management = 3
management = 1 password checking
results to be sent to
management = 2
Score
102
UNCLASSIFIED

98 Does the vendor subscribe to VIVM-1 Does not subscribe Does not subscribe Does not subscribe
the applicable vendor’s to security to security to security
security notification sites for notification sites or notification sites or notification sites or
the latest security cannot describe cannot provide cannot demonstrate
vulnerabilities’ notifications? requirement for documentation of they have
subscribing to requirement for subscribed to
security notification subscribing to security
sites = 0 security notification notification sites
sites = 0 =0
Can describe
requirement for Can provide Can demonstrate
subscribing to documentation of they have
security notification requirement for subscribed to
sites = 1 subscribing to security
security notification notification sites
sites = 2 =3
Score
103
UNCLASSIFIED
Personnel Security
99 Does the vendor have a PRAS-1 Does not have Does not have Does not have
documented requirement for PRMP-2 requirement for requirement for background
a background security PRNK-1 background security background security security
investigation? investigation or investigation or investigation or
cannot describe their cannot provide cannot demonstrate
Question to Ask background security documentation of background
1. What type of background investigation = 0 requirement for security
security investigation is background security investigation has
required?
Can describe their investigation = 0 been done = 0
background security
investigation = 1 Can provide Can demonstrate
documentation of background
the requirement for security
background security investigation has
investigation & been done &
investigation is investigation is
commercial or commercial = 1
DoD/OPM= 1
Can demonstrate
Can provide background
documentation of security
requirement for investigation has
background security been done &
investigation & investigation is
investigation is DoD/OPM = 2
SSBI = 2
104
UNCLASSIFIED
Can demonstrate
background
security
investigation has
been done &
investigation is
SSBI = 2
Score
105
UNCLASSIFIED

100 Does the vendor perform PRAS-1 Does not have Does not have Does not have
background security PRMP-2 background security background security background
investigations on a regular PRNK-1 investigation or investigation or security
basis? cannot describe their cannot provide copy investigation or
background security of background cannot demonstrate
Question to Ask investigation = 0 security background
1. How frequently are investigation = 0 investigation has
background investigation Can describe their been done = 0
performed?
background security Can provide
investigation = 1 documentation of Can demonstrate
background security security
investigation & investigation has
investigation is been done &
performed less investigation is
frequently than performed less
every 5 years = 1 frequently than
every 5 years = 2
Can provide
documentation of Can demonstrate
background security security
investigation & investigation has
investigation is been done &
performed every 5 investigation is
years or more performed every 5
frequently than years or more
every 5 years = 2 frequently than
every 5 years = 3
Score
106
UNCLASSIFIED

101 Can the vendor prove they PRAS-1 Cannot prove they NA NA
perform background security PRMP-2 do background
investigations? PRNK-1 investigations = 0
Thing to Consider Can prove they do

1. Is having a clearance a background
requirement in the Statement investigations = 2
of Work?
Score
107
UNCLASSIFIED

102 Does the vendor’s PRAS-1 Does not require Does not require Does not require
background security PRMP-2 background security background security background
investigation include PRNK-1 investigation or they investigation or security
pertinent areas? cannot describe their they cannot provide investigation or
background documentation of they cannot
List of Items to be Included investigation = 0 their background demonstrate their
1. Does the hiring process investigation = 0 background
restrict hiring a convicted Can describe their investigation = 0
felon?
2. Does the investigation cover
background Can provide
participation or membership investigation = 1 documentation of Can demonstrate
of subversive activities or their background their background
groups? investigation & it investigation & it
3. Does the investigation includes 1 – 2 of includes 1 – 2 of
research the credit
background of the potential
listed items = 1 listed items = 1
employee?
4. Does the hiring process Can provide Can demonstrate
require a drug screening test? documentation of their background
their background investigation & it
investigation & it includes 3 of listed
includes 3 - 4 of items = 2
listed items = 2
Can demonstrate
their background
investigation & it
includes 4 of listed
items = 3
Score
108
UNCLASSIFIED

103 Are vendor personnel subject PRNK-1 Are not subject to Are not subject to Are not subject to
to a background check? background check or background check background check
cannot describe their or cannot provide or cannot
List of Items to be Included background check documentation of demonstrate their
1. System Administrators =0 their background background check
2. Help Desk check = 0 =0
3. Administrative Personnel
4. Management
Can describe their
5. Janitorial Staff background check Can provide Can demonstrate
=1 documentation of their background
their background check & system
check & system administrators &
administrators & help desk are
help desk are subject to
subject to background check
background check =1
=1
Can demonstrate
Can provide their background
documentation of check & system
their background administrators, help
check & all 5 of desk, &
listed items are management are
subject to subject to
background check background check
=2 =2
Can demonstrate
their background
check & all 5 of
109
UNCLASSIFIED
listed items are

subject to
background check
=3
Score
110
UNCLASSIFIED

104 Does the personnel assigned PRNK-1 Do not have security Do not have Do not have
to doing background checks clearance or vendor security clearance security clearance
have a security clearance? cannot describe or vendor cannot or vendor cannot
requirement for provide demonstrate
these personnel to documentation of requirement for
have clearance = 0 requirement for these personnel to
these personnel to have clearance = 0
Can describe have clearance = 0
requirement for
these personnel to Can demonstrate
have clearance = 1 Can provide these personnel to
documentation of have clearance = 3
requirement for
these personnel to
have clearance = 2
Score
111
UNCLASSIFIED

105 Does the have a policy to PEPK-1 Does not have a Does not have Does not have
ensure uncleared personnel policy for uncleared policy for uncleared policy for
are escorted? personnel to be personnel to be uncleared personnel
escorted or cannot escorted or cannot to be escorted or
describe this policy provide cannot demonstrate
=0 documentation of this policy = 0
this policy = 0
policy which Can provide uncleared personnel
requires uncleared documentation of are escorted = 3
personnel to be this policy = 2
escorted = 1
Score
112
UNCLASSIFIED
Physical Security
106 Is there access control at PEPF-1 Does not have access Does not have Does not have
every physical access point to control at every access control at access control at
the vendor facility? access point or every access point every access point
cannot describe how or cannot provide or cannot
every physical documentation demonstrate how
access point has requiring access every physical
access control = 0 control at every access point has
physical access access control = 0
Can describe how point = 0
every physical Can demonstrate
access point has Can provide access control at
access control = 1 documentation every physical
requiring access access point to the
control at every facility = 3
physical access
point = 2
Score
113
UNCLASSIFIED

107 Does the facility housing the PEPF-1 Does not have Does not have Does not have
equipment have a separate separate access separate access separate access
access control zone to restrict control zone to control zone to control zone to
unauthorized personnel? restrict unauthorized restrict restrict
personnel or cannot unauthorized unauthorized
describe how their personnel or cannot personnel or cannot
separate access provide demonstrate how
control zone is used documentation of their separate
to restrict requirement of access control zone
unauthorized separate access is used to restrict
personnel = 0 control zone is used unauthorized
to restrict personnel = 0
Can describe how unauthorized
their separate access personnel = 0 Can demonstrate
control zone is used how their separate
to restrict Can provide access control zone
unauthorized documentation of is used to restrict
personnel = 1 requirement of unauthorized
separate access personnel = 3
control zone is used
to restrict
unauthorized
personnel = 2
Score
114
UNCLASSIFIED

108 Does the facility housing the DCBP-1 Does not have Does not have Does not have
equipment have additional additional security additional security additional security
security measures (key measures or cannot measures or cannot measures or cannot
control)? describe how their provide demonstrate their
additional security documentation additional security
Items to Consider measures = 0 requiring additional measures = 0
1. Area is locked with a key security measures
lock when not manned. Can describe how =0 Can demonstrate
2. All doors, either interior or
exterior, have Closed Circuit
their additional their additional
Television (CCTV)/motion security measures Can provide security measures
detector. are present in facility documentation on facility housing
3. Area is manned 24X7 or area housing equipment requiring additional equipment & area
is alarmed when not manned =1 security measures is locked with key
or area is locked with GSA
approved lock when not
=2 lock when not
manned. manned = 1
Can demonstrate
their additional
security measures
on facility housing
equipment & all
doors have
CCTV/motion
detector = 2
Can demonstrate
their additional
security measures
115
UNCLASSIFIED
on facility housing
equipment & area
is manned 24X7 or
area is alarmed
when not manned
or area is locked
with GSAapproved
combination lock
when not manned
=3
Score
116
UNCLASSIFIED

109 Does the facility have a CODP-1 Does not have Does not have Does not have
disaster recovery plan? COAS-1 disaster recovery disaster recovery disaster recovery
plan or cannot plan or cannot plan or cannot
Question to Ask describe their provide their demonstrate their
1. Is the plan developed, disaster recovery disaster recovery disaster recovery
documented, & tested plan = 0 plan = 0 plan = 0
annually?
Can describe how Can provide their Can demonstrate

their disaster disaster recovery their disaster
recovery plan = 1 plan but it is recovery plan but it
documented only is documented only
=1 =2
Can provide their Can demonstrate

disaster recovery their disaster
plan & it is fully recovery plan & it
developed, is fully developed,
documented & documented &
tested annually = 2 tested annually = 3
Score
117
UNCLASSIFIED

110 Does the facility have PEFD-1 Does not have Does not have Does not have
environmental controls? PEHC-1 environmental environmental environmental
PETC-1 controls or cannot controls or cannot controls or cannot
Items to Include PEVR-1 describe their provide demonstrate their
1. Fire Suppression environmental documentation of environmental
2. Climate Controlled computer controls = 0 their environmental controls = 0
facility
controls = 0
environmental Can provide their environmental
controls = 1 documentation of controls & it
their environmental includes 1 of items
controls & it listed = 2
includes 1 of items
listed = 1 Can demonstrate
environmental
Can provide controls & it
documentation of includes 2 of items
their environmental listed = 3
controls & it
includes 2 of the
items listed = 2
Score
118
UNCLASSIFIED

111 Does the vendor have an PEFD-1 Does not have Does not have Does not have
approved standoff disaster PEHC-1 approved standoff approved standoff approved standoff
perimeter of defense? PETC-1 disaster perimeter of disaster perimeter disaster perimeter
PEVR-1 defense or cannot of defense or cannot of defense or
Item to Consider describe their provide cannot demonstrate
1. Based on MAC level, does approved standoff documentation of their approved
the plan commensurate with disaster perimeter of their approved standoff disaster
the Statement of Work?
defense = 0 standoff disaster perimeter of
perimeter of defense = 0
Can describe defense = 0
approved standoff Can demonstrate
disaster perimeter of Can provide their approved
defense = 1 documentation of standoff disaster
their approved perimeter of
standoff disaster defense = 3
perimeter of
defense = 2
Score
119
UNCLASSIFIED
Security Awareness and Training

112 Do employees receive general DCSD-1 Does not have Does not have Does not have
security training? PECF-1 general security general security general security
PRRB-1 training or cannot training or cannot training or cannot
Questions to Ask PRTN-1 describe their provide demonstrate their
1. Are training materials made general security documentation of general security
available? training = 0 their general training = 0
2. Is initial & annual training
given & documented?
security training = 0
general security Can provide their general
training = 1 documentation of security training
their general but it is only
security training but training materials
it is only training made available = 2
materials made
available = 1 Can demonstrate
their general
Can provide security training &
documentation of it is includes initial
their general & annual training
security training & & the training is
it is includes initial documented = 3
& annual training &
the training is
documented = 2
Score
120
UNCLASSIFIED

113 Do privileged users receive PECF-1 Do not receive Do not receive Does not have
additional security training PRRB-1 additional security additional security general security
specific to their duties? PRTN-1 training or cannot training or cannot training or cannot
describe privileged provide demonstrate their
Questions to Ask users’ additional documentation of general security
1. Are privileged users given training = 0 privileged users’ training = 0
additional training? additional training
2. Do system administrators,
security personnel & other
Can describe =0 Can demonstrate
privileged users required to privileged users’ privileged users’
be certified? additional training Can provide additional training
=1 documentation of =2
privileged users’
additional training Can demonstrate
=1 system
administrators,
Can provide security personnel,
documentation of & privileged users’
system additional training
administrators, =3
security personnel,
& privileged users’
additional training
=2
Score
121
UNCLASSIFIED

Best Security Practices Checklist

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Best Security Practices Checklist

Încărcat de

Drepturi de autor:

Formate disponibile

Best Practices Security Checklist V2R1 January 29, 2007 Field Security

Unclassified UNTIL FILLED IN

STIGs do not apply to the service provided architecture,

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Can provide Can demonstrate

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Has a trust mark or Can provide Can show that

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Can provide Can demonstrate

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Can describe their Can provide Can demonstrate

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Can provide copy Can show audit log

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Has firewall ACLs Can provide Can demonstrate

Vulnerability IA Description Documentation Demonstration

Vendor does deploy Can provide Can demonstrate

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Criteria Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration

Vulnerability IA Description Documentation Demonstration