From e4022c73e581beb3ba767da9f15249607baf6483 Mon Sep 17 00:00:00 2001 From: Wendell Piez Date: Tue, 20 Sep 2022 13:09:42 -0400 Subject: [PATCH] Cosmetic (whitespace) fixup --- .../rev5/xml/NIST_SP-800-53_rev5_catalog.xml | 21746 ++++++---------- .../SP800-53/rev5/xml/oscal-reformat.xsl | 126 + 2 files changed, 8720 insertions(+), 13152 deletions(-) create mode 100644 src/nist.gov/SP800-53/rev5/xml/oscal-reformat.xsl diff --git a/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml b/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml index f13729d2..5dc5a349 100644 --- a/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml +++ b/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml @@ -1,13 +1,11 @@ - + Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures - 2022-09-19T13:00:52.415367-04:00 - 5.2.1 + 2022-09-20T13:02:56.5306901-04:00 + 5.2.1 1.0.0 - + @@ -41,27 +39,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the access control policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the access control policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the access control procedures are to be disseminated is/are defined;

+ @@ -76,51 +70,47 @@ - -

an official to manage the access control policy and procedures is defined;

- + +

an official to manage the access control policy and procedures is defined;

+ - -

the frequency at which the current access control policy is reviewed and updated is defined;

- + +

the frequency at which the current access control policy is reviewed and updated is defined;

+ - -

events that would require the current access control policy to be reviewed and updated are defined;

- + +

events that would require the current access control policy to be reviewed and updated are defined;

+ - -

the frequency at which the current access control procedures are reviewed and updated is defined;

- + +

the frequency at which the current access control procedures are reviewed and updated is defined;

+ - -

events that would require procedures to be reviewed and updated are defined;

- + +

events that would require procedures to be reviewed and updated are defined;

+ - - + + @@ -135,11 +125,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- access control policy that:

+

access control policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -156,18 +145,18 @@ -

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the access control policy and procedures; and

Review and update the current access control:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -184,7 +173,7 @@ -

the access control policy is disseminated to ;

+

the access control policy is disseminated to ;

 @@ -192,7 +181,7 @@ -

the access control procedures are disseminated to ;

+

the access control procedures are disseminated to ;

 @@ -200,42 +189,42 @@ -

the access control policy addresses purpose;

+

the access control policy addresses purpose;

 -

the access control policy addresses scope;

+

the access control policy addresses scope;

 -

the access control policy addresses roles;

+

the access control policy addresses roles;

 -

the access control policy addresses responsibilities;

+

the access control policy addresses responsibilities;

 -

the access control policy addresses management commitment;

+

the access control policy addresses management commitment;

 -

the access control policy addresses coordination among organizational entities;

+

the access control policy addresses coordination among organizational entities;

 -

the access control policy addresses compliance;

+

the access control policy addresses compliance;

 -

the access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the access control policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the access control policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the access control policy and procedures;

 @@ -243,22 +232,22 @@ -

the current access control policy is reviewed and updated ;

+

the current access control policy is reviewed and updated ;

 -

the current access control policy is reviewed and updated following ;

+

the current access control policy is reviewed and updated following ;

 -

the current access control procedures are reviewed and updated ;

+

the current access control procedures are reviewed and updated ;

 -

the current access control procedures are reviewed and updated following .

+

the current access control procedures are reviewed and updated following .

 @@ -288,88 +277,86 @@ - -

prerequisites and criteria for group and role membership are defined;

- + +

prerequisites and criteria for group and role membership are defined;

+ - -

attributes (as required) for each account are defined;

- + +

attributes (as required) for each account are defined;

+ - -

personnel or roles required to approve requests to create accounts is/are defined;

- + +

personnel or roles required to approve requests to create accounts is/are defined;

+ - -

policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;

- + +

policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;

+ - -

personnel or roles to be notified is/are defined;

- + +

personnel or roles to be notified is/are defined;

+ - -

time period within which to notify account managers when accounts are no longer required is defined;

- + +

time period within which to notify account managers when accounts are no longer required is defined;

+ - -

time period within which to notify account managers when users are terminated or transferred is defined;

- + +

time period within which to notify account managers when users are terminated or transferred is defined;

+ - -

time period within which to notify account managers when system usage or the need to know changes for an individual is defined;

- + +

time period within which to notify account managers when system usage or the need to know changes for an individual is defined;

+ - -

attributes needed to authorize system access (as required) are defined;

- + +

attributes needed to authorize system access (as required) are defined;

+ - -

the frequency of account review is defined;

- + +

the frequency of account review is defined;

+ - + @@ -412,7 +399,7 @@ -

Require for group and role membership;

+

Require for group and role membership;

 @@ -427,16 +414,16 @@ -

Access authorizations (i.e., privileges) and for each account;

+

Access authorizations (i.e., privileges) and for each account;

 -

Require approvals by for requests to create accounts;

+

Require approvals by for requests to create accounts;

 -

Create, enable, modify, disable, and remove accounts in accordance with ;

+

Create, enable, modify, disable, and remove accounts in accordance with ;

 @@ -444,21 +431,18 @@ -

Notify account managers and within:

+

Notify account managers and within:

-

- when accounts are no longer required;

+

when accounts are no longer required;

 -

- when users are terminated or transferred; and

+

when users are terminated or transferred; and

 -

- when system usage or need-to-know changes for an individual;

+

when system usage or need-to-know changes for an individual;

 @@ -474,13 +458,12 @@ -

- ;

+

;

 -

Review accounts for compliance with account management requirements ;

+

Review accounts for compliance with account management requirements ;

 @@ -515,8 +498,7 @@ -

- for group and role membership are required;

+

for group and role membership are required;

 @@ -536,36 +518,35 @@ -

- are specified for each account;

+

are specified for each account;

 -

approvals are required by for requests to create accounts;

+

approvals are required by for requests to create accounts;

 -

accounts are created in accordance with ;

+

accounts are created in accordance with ;

 -

accounts are enabled in accordance with ;

+

accounts are enabled in accordance with ;

 -

accounts are modified in accordance with ;

+

accounts are modified in accordance with ;

 -

accounts are disabled in accordance with ;

+

accounts are disabled in accordance with ;

 -

accounts are removed in accordance with ;

+

accounts are removed in accordance with ;

 @@ -576,15 +557,15 @@ -

account managers and are notified within when accounts are no longer required;

+

account managers and are notified within when accounts are no longer required;

 -

account managers and are notified within when users are terminated or transferred;

+

account managers and are notified within when users are terminated or transferred;

 -

account managers and are notified within when system usage or the need to know changes for an individual;

+

account managers and are notified within when system usage or the need to know changes for an individual;

 @@ -599,12 +580,12 @@ -

access to the system is authorized based on ;

+

access to the system is authorized based on ;

 -

accounts are reviewed for compliance with account management requirements ;

+

accounts are reviewed for compliance with account management requirements ;

 @@ -675,26 +656,24 @@ - -

automated mechanisms used to support the management of system accounts are defined;

- + +

automated mechanisms used to support the management of system accounts are defined;

+ - + -

Support the management of system accounts using .

+

Support the management of system accounts using .

Automated system account management includes using automated mechanisms to create, enable, modify, disable, and remove accounts; notify account managers when an account is created, enabled, modified, disabled, or removed, or when users are terminated or transferred; monitor system account usage; and report atypical system account usage. Automated mechanisms can include internal system functions and email, telephonic, and text messaging notifications.

 -

the management of system accounts is supported using .

+

the management of system accounts is supported using .

 @@ -739,31 +718,27 @@ - + - -

the time period after which to automatically remove or disable temporary or emergency accounts is defined;

- + +

the time period after which to automatically remove or disable temporary or emergency accounts is defined;

+ - + -

Automatically temporary and emergency accounts after .

+

Automatically temporary and emergency accounts after .

Management of temporary and emergency accounts includes the removal or disabling of such accounts automatically after a predefined time period rather than at the convenience of the system administrator. Automatic removal or disabling of accounts provides a more consistent implementation.

 -

temporary and emergency accounts are automatically after .

+

temporary and emergency accounts are automatically after .

 @@ -804,27 +779,25 @@ - -

time period within which to disable accounts is defined;

- + +

time period within which to disable accounts is defined;

+ - -

time period for account inactivity before disabling is defined;

- + +

time period for account inactivity before disabling is defined;

+ - + -

Disable accounts within when the accounts:

+

Disable accounts within when the accounts:

Have expired;

@@ -839,7 +812,7 @@ -

Have been inactive for .

+

Have been inactive for .

 @@ -849,19 +822,19 @@ -

accounts are disabled within when the accounts have expired;

+

accounts are disabled within when the accounts have expired;

 -

accounts are disabled within when the accounts are no longer associated with a user or individual;

+

accounts are disabled within when the accounts are no longer associated with a user or individual;

 -

accounts are disabled within when the accounts are in violation of organizational policy;

+

accounts are disabled within when the accounts are in violation of organizational policy;

 -

accounts are disabled within when the accounts have been inactive for .

+

accounts are disabled within when the accounts have been inactive for .

 @@ -903,9 +876,7 @@ - + @@ -913,7 +884,7 @@

Automatically audit account creation, modification, enabling, disabling, and removal actions.

 -

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

+

Account management audit records are defined in accordance with AU-2 and reviewed, analyzed, and reported in accordance with AU-6.

 @@ -975,30 +946,26 @@ - -

the time period of expected inactivity or description of when to log out is defined;

- + +

the time period of expected inactivity or description of when to log out is defined;

+ - - + + -

Require that users log out when .

+

Require that users log out when .

 -

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

+

Inactivity logout is behavior- or policy-based and requires users to take physical action to log out when they are expecting inactivity longer than the defined period. Automatic enforcement of inactivity logout is addressed by AC-11.

 -

users are required to log out when .

+

users are required to log out when .

 @@ -1031,28 +998,25 @@ - -

dynamic privilege management capabilities are defined;

- + +

dynamic privilege management capabilities are defined;

+ - + -

Implement .

+

Implement .

In contrast to access control approaches that employ static accounts and predefined user privileges, dynamic access control approaches rely on runtime access control decisions facilitated by dynamic privilege management, such as attribute-based access control. While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and the operational needs of organizations. An example of dynamic privilege management is the immediate revocation of privileges from users as opposed to requiring that users terminate and restart their sessions to reflect changes in privileges. Dynamic privilege management can also include mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, if their job function or assignment changes, or if systems are under duress or in emergency situations. Dynamic privilege management includes the effects of privilege changes, for example, when there are changes to encryption keys used for communications.

 -

- are implemented.

+

are implemented.

 @@ -1099,14 +1063,12 @@ - + -

Establish and administer privileged user accounts in accordance with ;

+

Establish and administer privileged user accounts in accordance with ;

 @@ -1128,7 +1090,7 @@ -

privileged user accounts are established and administered in accordance with ;

+

privileged user accounts are established and administered in accordance with ;

 @@ -1184,20 +1146,18 @@ - -

system accounts that are dynamically created, activated, managed, and deactivated are defined;

- + +

system accounts that are dynamically created, activated, managed, and deactivated are defined;

+ - + -

Create, activate, manage, and deactivate dynamically.

+

Create, activate, manage, and deactivate dynamically.

Approaches for dynamically creating, activating, managing, and deactivating system accounts rely on automatically provisioning the accounts at runtime for entities that were previously unknown. Organizations plan for the dynamic management, creation, activation, and deactivation of system accounts by establishing trust relationships, business rules, and mechanisms with appropriate authorities to validate related authorizations and privileges.

@@ -1206,23 +1166,19 @@ -

- are created dynamically;

+

are created dynamically;

 -

- are activated dynamically;

+

are activated dynamically;

 -

- are managed dynamically;

+

are managed dynamically;

 -

- are deactivated dynamically.

+

are deactivated dynamically.

 @@ -1261,31 +1217,27 @@ Restrictions on Use of Shared and Group Accounts - + - -

conditions for establishing shared and group accounts are defined;

- + +

conditions for establishing shared and group accounts are defined;

+ - + -

Only permit the use of shared and group accounts that meet .

+

Only permit the use of shared and group accounts that meet .

Before permitting the use of shared or group accounts, organizations consider the increased risk due to the lack of accountability with such accounts.

 -

the use of shared and group accounts is only permitted if are met.

+

the use of shared and group accounts is only permitted if are met.

 @@ -1332,35 +1284,32 @@ - -

circumstances and/or usage conditions to be enforced for system accounts are defined;

- + +

circumstances and/or usage conditions to be enforced for system accounts are defined;

+ - -

system accounts subject to enforcement of circumstances and/or usage conditions are defined;

- + +

system accounts subject to enforcement of circumstances and/or usage conditions are defined;

+ - + -

Enforce for .

+

Enforce for .

Specifying and enforcing usage conditions helps to enforce the principle of least privilege, increase user accountability, and enable effective account monitoring. Account monitoring includes alerts generated if the account is used in violation of organizational parameters. Organizations can describe specific conditions or circumstances under which system accounts can be used, such as by restricting usage to certain days of the week, time of day, or specific durations of time.

 -

- for are enforced.

+

for are enforced.

 @@ -1400,27 +1349,23 @@ - -

atypical usage for which to monitor system accounts is defined;

- + +

atypical usage for which to monitor system accounts is defined;

+ - -

personnel or roles to report atypical usage is/are defined;

- + +

personnel or roles to report atypical usage is/are defined;

+ - - + + @@ -1430,11 +1375,11 @@ -

Monitor system accounts for ; and

+

Monitor system accounts for ; and

 -

Report atypical usage of system accounts to .

+

Report atypical usage of system accounts to .

 @@ -1444,11 +1389,11 @@ -

system accounts are monitored for ;

+

system accounts are monitored for ;

-

atypical usage of system accounts is reported to .

+

atypical usage of system accounts is reported to .

 @@ -1491,36 +1436,34 @@ - -

time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;

- + +

time period within which to disable accounts of individuals who are discovered to pose significant risk is defined;

+ - -

significant risks leading to disabling accounts are defined;

- + +

significant risks leading to disabling accounts are defined;

+ - + -

Disable accounts of individuals within of discovery of .

+

Disable accounts of individuals within of discovery of .

Users who pose a significant security and/or privacy risk include individuals for whom reliable evidence indicates either the intention to use authorized access to systems to cause harm or through whom adversaries will cause harm. Such harm includes adverse impacts to organizational operations, organizational assets, individuals, other organizations, or the Nation. Close coordination among system administrators, legal staff, human resource managers, and authorizing officials is essential when disabling system accounts for high-risk individuals.

 -

accounts of individuals are disabled within of discovery of .

+

accounts of individuals are disabled within of discovery of .

 @@ -1560,9 +1503,7 @@ - + @@ -1668,33 +1609,29 @@ Dual Authorization - + - -

privileged commands and/or other actions requiring dual authorization are defined;

- + +

privileged commands and/or other actions requiring dual authorization are defined;

+ - + -

Enforce dual authorization for .

+

Enforce dual authorization for .

Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.

 -

dual authorization is enforced for .

+

dual authorization is enforced for .

 @@ -1732,54 +1669,48 @@ Mandatory Access Control - - + + - -

mandatory access control policy enforced over the set of covered subjects is defined;

- + +

mandatory access control policy enforced over the set of covered subjects is defined;

+ - -

mandatory access control policy enforced over the set of covered objects is defined;

- + +

mandatory access control policy enforced over the set of covered objects is defined;

+ - -

subjects to be explicitly granted privileges are defined;

- + +

subjects to be explicitly granted privileges are defined;

+ - -

privileges to be explicitly granted to subjects are defined;

- + +

privileges to be explicitly granted to subjects are defined;

+ - + -

Enforce over the set of covered subjects and objects specified in the policy, and where the policy:

+

Enforce over the set of covered subjects and objects specified in the policy, and where the policy:

Is uniformly enforced across the covered subjects and objects within the system;

@@ -1810,70 +1741,60 @@ -

Specifies that may explicitly be granted such that they are not limited by any defined subset (or all) of the above constraints.

+

Specifies that may explicitly be granted such that they are not limited by any defined subset (or all) of the above constraints.

 -

Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25 . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).

-

The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6 ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-3(4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.

+

Mandatory access control is a type of nondiscretionary access control. Mandatory access control policies constrain what actions subjects can take with information obtained from objects for which they have already been granted access. This prevents the subjects from passing the information to unauthorized subjects and objects. Mandatory access control policies constrain actions that subjects can take with respect to the propagation of access control privileges; that is, a subject with a privilege cannot pass that privilege to other subjects. The policy is uniformly enforced over all subjects and objects to which the system has control. Otherwise, the access control policy can be circumvented. This enforcement is provided by an implementation that meets the reference monitor concept as described in AC-25 . The policy is bounded by the system (i.e., once the information is passed outside of the control of the system, additional means may be required to ensure that the constraints on the information remain in effect).

+

The trusted subjects described above are granted privileges consistent with the concept of least privilege (see AC-6 ). Trusted subjects are only given the minimum privileges necessary for satisfying organizational mission/business needs relative to the above policy. The control is most applicable when there is a mandate that establishes a policy regarding access to controlled unclassified information or classified information and some users of the system are not authorized access to all such information resident in the system. Mandatory access control can operate in conjunction with discretionary access control as described in AC-3(4) . A subject constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of AC-3(4), but mandatory access control policies take precedence over the less rigorous constraints of AC-3(4). For example, while a mandatory access control policy imposes a constraint that prevents a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any other subject with the same impact or classification level as the subject. Examples of mandatory access control policies include the Bell-LaPadula policy to protect confidentiality of information and the Biba policy to protect the integrity of information.

 -

- is enforced over the set of covered subjects specified in the policy;

+

is enforced over the set of covered subjects specified in the policy;

 -

- is enforced over the set of covered objects specified in the policy;

+

is enforced over the set of covered objects specified in the policy;

 -

- is uniformly enforced across the covered subjects within the system;

+

is uniformly enforced across the covered subjects within the system;

 -

- is uniformly enforced across the covered objects within the system;

+

is uniformly enforced across the covered objects within the system;

 -

- and specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;

+

and specifying that a subject that has been granted access to information is constrained from passing the information to unauthorized subjects or objects are enforced;

 -

- and specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;

+

and specifying that a subject that has been granted access to information is constrained from granting its privileges to other subjects are enforced;

 -

- and specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;

+

and specifying that a subject that has been granted access to information is constrained from changing one of more security attributes (specified by the policy) on subjects, objects, the system, or system components are enforced;

 -

- and specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;

+

and specifying that a subject that has been granted access to information is constrained from choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects are enforced;

 -

- and specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;

+

and specifying that a subject that has been granted access to information is constrained from changing the rules governing access control are enforced;

 -

- and specifying that may explicitly be granted such that they are not limited by any defined subset (or all) of the above constraints are enforced.

+

and specifying that may explicitly be granted such that they are not limited by any defined subset (or all) of the above constraints are enforced.

 @@ -1912,37 +1833,31 @@ Discretionary Access Control - - + + - -

discretionary access control policy enforced over the set of covered subjects is defined;

- + +

discretionary access control policy enforced over the set of covered subjects is defined;

+ - -

discretionary access control policy enforced over the set of covered objects is defined;

- + +

discretionary access control policy enforced over the set of covered objects is defined;

+ - + -

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:

+

Enforce over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:

Pass the information to any other subjects or objects;

@@ -1965,44 +1880,37 @@ -

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.

+

When discretionary access control policies are implemented, subjects are not constrained with regard to what actions they can take with information for which they have already been granted access. Thus, subjects that have been granted access to information are not prevented from passing the information to other subjects or objects (i.e., subjects have the discretion to pass). Discretionary access control can operate in conjunction with mandatory access control as described in AC-3(3) and AC-3(15) . A subject that is constrained in its operation by mandatory access control policies can still operate under the less rigorous constraints of discretionary access control. Therefore, while AC-3(3) imposes constraints that prevent a subject from passing information to another subject operating at a different impact or classification level, AC-3(4) permits the subject to pass the information to any subject at the same impact or classification level. The policy is bounded by the system. Once the information is passed outside of system control, additional means may be required to ensure that the constraints remain in effect. While traditional definitions of discretionary access control require identity-based access control, that limitation is not required for this particular use of discretionary access control.

 -

- is enforced over the set of covered subjects specified in the policy;

+

is enforced over the set of covered subjects specified in the policy;

 -

- is enforced over the set of covered objects specified in the policy;

+

is enforced over the set of covered objects specified in the policy;

 -

- and are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;

+

and are enforced where the policy specifies that a subject that has been granted access to information can pass the information to any other subjects or objects;

 -

- and are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;

+

and are enforced where the policy specifies that a subject that has been granted access to information can grant its privileges to other subjects;

 -

- and are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;

+

and are enforced where the policy specifies that a subject that has been granted access to information can change security attributes on subjects, objects, the system, or the system’s components;

 -

- and are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;

+

and are enforced where the policy specifies that a subject that has been granted access to information can choose the security attributes to be associated with newly created or revised objects;

 -

- and are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.

+

and are enforced where the policy specifies that a subject that has been granted access to information can change the rules governing access control.

 @@ -2044,28 +1952,26 @@ - -

security-relevant information to which access is prevented except during secure, non-operable system states is defined;

- + +

security-relevant information to which access is prevented except during secure, non-operable system states is defined;

+ - + -

Prevent access to except during secure, non-operable system states.

+

Prevent access to except during secure, non-operable system states.

Security-relevant information is information within systems that can potentially impact the operation of security functions or the provision of security services in a manner that could result in failure to enforce system security and privacy policies or maintain the separation of code and data. Security-relevant information includes access control lists, filtering rules for routers or firewalls, configuration parameters for security services, and cryptographic key management information. Secure, non-operable system states include the times in which systems are not performing mission or business-related processing, such as when the system is offline for maintenance, boot-up, troubleshooting, or shut down.

 -

access to is prevented except during secure, non-operable system states.

+

access to is prevented except during secure, non-operable system states.

 @@ -2110,43 +2016,35 @@ Role-based Access Control - - + + - -

roles upon which to base control of access are defined;

- + +

roles upon which to base control of access are defined;

+ - -

users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;

- + +

users authorized to assume roles (defined in AC-03(07)_ODP[01]) are defined;

+ - - + + -

Enforce a role-based access control policy over defined subjects and objects and control access based upon .

+

Enforce a role-based access control policy over defined subjects and objects and control access based upon .

 -

Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

+

Role-based access control (RBAC) is an access control policy that enforces access to objects and system functions based on the defined role (i.e., job function) of the subject. Organizations can create specific roles based on job functions and the authorizations (i.e., privileges) to perform needed operations on the systems associated with the organization-defined roles. When users are assigned to specific roles, they inherit the authorizations or privileges defined for those roles. RBAC simplifies privilege administration for organizations because privileges are not assigned directly to every user (which can be a large number of individuals) but are instead acquired through role assignments. RBAC can also increase privacy and security risk if individuals assigned to a role are given access to information beyond what they need to support organizational missions or business functions. RBAC can be implemented as a mandatory or discretionary form of access control. For organizations implementing RBAC with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

 @@ -2160,7 +2058,7 @@ -

access is controlled based on and .

+

access is controlled based on and .

 @@ -2201,27 +2099,21 @@ Revocation of Access Authorizations - + - -

rules governing the timing of revocations of access authorizations are defined;

- + +

rules governing the timing of revocations of access authorizations are defined;

+ - - + + -

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on .

+

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on .

Revocation of access rules may differ based on the types of access revoked. For example, if a subject (i.e., user or process acting on behalf of a user) is removed from a group, access may not be revoked until the next time the object is opened or the next time the subject attempts to access the object. Revocation based on changes to security labels may take effect immediately. Organizations provide alternative approaches on how to make revocations immediate if systems cannot provide such capability and immediate revocation is necessary.

@@ -2230,11 +2122,11 @@ -

revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on ;

+

revocation of access authorizations is enforced, resulting from changes to the security attributes of subjects based on ;

 -

revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on .

+

revocation of access authorizations is enforced resulting from changes to the security attributes of objects based on .

 @@ -2274,35 +2166,31 @@ - -

the outside system or system component to which to release information is defined;

- + +

the outside system or system component to which to release information is defined;

+ - -

controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;

- + +

controls to be provided by the outside system or system component (defined in AC-03(09)_ODP[01]) are defined;

+ - -

controls used to validate appropriateness of information to be released are defined;

- + +

controls used to validate appropriateness of information to be released are defined;

+ - - + + @@ -2313,12 +2201,11 @@

Release information outside of the system only if:

-

The receiving provides ; and

+

The receiving provides ; and

 -

- are used to validate the appropriateness of the information designated for release.

+

are used to validate the appropriateness of the information designated for release.

 @@ -2329,11 +2216,11 @@ -

information is released outside of the system only if the receiving provides ;

+

information is released outside of the system only if the receiving provides ;

 -

information is released outside of the system only if are used to validate the appropriateness of the information designated for release.

+

information is released outside of the system only if are used to validate the appropriateness of the information designated for release.

 @@ -2382,24 +2269,22 @@ - -

conditions under which to employ an audited override of automated access control mechanisms are defined;

- + +

conditions under which to employ an audited override of automated access control mechanisms are defined;

+ - -

roles allowed to employ an audited override of automated access control mechanisms are defined;

- + +

roles allowed to employ an audited override of automated access control mechanisms are defined;

+ - + @@ -2407,14 +2292,14 @@ -

Employ an audited override of automated access control mechanisms under by .

+

Employ an audited override of automated access control mechanisms under by .

 -

In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in AU-2 . Audit records are generated in AU-12.

+

In certain situations, such as when there is a threat to human life or an event that threatens the organization’s ability to carry out critical missions or business functions, an override capability for access control mechanisms may be needed. Override conditions are defined by organizations and used only in those limited circumstances. Audit events are defined in AU-2 . Audit records are generated in AU-12.

 -

an audited override of automated access control mechanisms is employed under by .

+

an audited override of automated access control mechanisms is employed under by .

 @@ -2453,30 +2338,28 @@ - -

information types requiring restricted access to data repositories are defined;

- + +

information types requiring restricted access to data repositories are defined;

+ - + -

Restrict access to data repositories containing .

+

Restrict access to data repositories containing .

Restricting access to specific information is intended to provide flexibility regarding access control of specific information types within a system. For example, role-based access could be employed to allow access to only a specific type of personally identifiable information within a database rather than allowing access to the database in its entirety. Other examples include restricting access to cryptographic keys, authentication information, and selected system information.

 -

access to data repositories containing is restricted.

+

access to data repositories containing is restricted.

 @@ -2515,22 +2398,20 @@ - -

system applications and functions requiring access assertion are defined;

- + +

system applications and functions requiring access assertion are defined;

+ - + -

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: ;

+

Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: ;

 @@ -2548,7 +2429,7 @@ -

as part of the installation process, applications are required to assert the access needed to the following system applications and functions: ;

+

as part of the installation process, applications are required to assert the access needed to the following system applications and functions: ;

 @@ -2593,27 +2474,23 @@ Attribute-based Access Control - + - -

attributes to assume access permissions are defined;

- + +

attributes to assume access permissions are defined;

+ - + -

Enforce attribute-based access control policy over defined subjects and objects and control access based upon .

+

Enforce attribute-based access control policy over defined subjects and objects and control access based upon .

 -

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

+

Attribute-based access control is an access control policy that restricts system access to authorized users based on specified organizational attributes (e.g., job function, identity), action attributes (e.g., read, write, delete), environmental attributes (e.g., time of day, location), and resource attributes (e.g., classification of a document). Organizations can create rules based on attributes and the authorizations (i.e., privileges) to perform needed operations on the systems associated with organization-defined attributes and rules. When users are assigned to attributes defined in attribute-based access control policies or rules, they can be provisioned to a system with the appropriate privileges or dynamically granted access to a protected resource. Attribute-based access control can be implemented as either a mandatory or discretionary form of access control. When implemented with mandatory access controls, the requirements in AC-3(3) define the scope of the subjects and objects covered by the policy.

 @@ -2627,7 +2504,7 @@ -

access is controlled based on .

+

access is controlled based on .

 @@ -2667,24 +2544,22 @@ - -

mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;

- + +

mechanisms enabling individuals to have access to elements of their personally identifiable information are defined;

+ - -

elements of personally identifiable information to which individuals have access are defined;

- + +

elements of personally identifiable information to which individuals have access are defined;

+ - + @@ -2692,15 +2567,14 @@ -

Provide to enable individuals to have access to the following elements of their personally identifiable information: .

+

Provide to enable individuals to have access to the following elements of their personally identifiable information: .

 -

Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, PRIVACT processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the PRIVACT ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations.

+

Individual access affords individuals the ability to review personally identifiable information about them held within organizational records, regardless of format. Access helps individuals to develop an understanding about how their personally identifiable information is being processed. It can also help individuals ensure that their data is accurate. Access mechanisms can include request forms and application interfaces. For federal agencies, PRIVACT processes can be located in systems of record notices and on agency websites. Access to certain types of records may not be appropriate (e.g., for federal agencies, law enforcement records within a system of records may be exempt from disclosure under the PRIVACT ) or may require certain levels of authentication assurance. Organizational personnel consult with the senior agency official for privacy and legal counsel to determine appropriate mechanisms and access rights or limitations.

 -

- are provided to enable individuals to have access to of their personally identifiable information.

+

are provided to enable individuals to have access to of their personally identifiable information.

 @@ -2742,57 +2616,47 @@ Discretionary and Mandatory Access Control - - + + - - + + - -

a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;

- + +

a mandatory access control policy enforced over the set of covered subjects specified in the policy is defined;

+ - -

a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;

- + +

a mandatory access control policy enforced over the set of covered objects specified in the policy is defined;

+ - -

a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;

- + +

a discretionary access control policy enforced over the set of covered subjects specified in the policy is defined;

+ - -

a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;

- + +

a discretionary access control policy enforced over the set of covered objects specified in the policy is defined;

+ - + @@ -2800,11 +2664,11 @@ -

Enforce over the set of covered subjects and objects specified in the policy; and

+

Enforce over the set of covered subjects and objects specified in the policy; and

 -

Enforce over the set of covered subjects and objects specified in the policy.

+

Enforce over the set of covered subjects and objects specified in the policy.

 @@ -2816,26 +2680,22 @@ -

- is enforced over the set of covered subjects specified in the policy;

+

is enforced over the set of covered subjects specified in the policy;

 -

- is enforced over the set of covered objects specified in the policy;

+

is enforced over the set of covered objects specified in the policy;

 -

- is enforced over the set of covered subjects specified in the policy;

+

is enforced over the set of covered subjects specified in the policy;

 -

- is enforced over the set of covered objects specified in the policy.

+

is enforced over the set of covered objects specified in the policy.

 @@ -2879,16 +2739,14 @@ - -

information flow control policies within the system and between connected systems are defined;

- + +

information flow control policies within the system and between connected systems are defined;

+ - + @@ -2911,15 +2769,15 @@ -

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

+

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on .

 -

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

+

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-3 ). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

 -

approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on .

+

approved authorizations are enforced for controlling the flow of information within the system and between connected systems based on .

 @@ -2960,108 +2818,90 @@ Object Security and Privacy Attributes - - + + - - - - - - + + + + + + - -

security attributes to be associated with information, source, and destination objects are defined;

- + +

security attributes to be associated with information, source, and destination objects are defined;

+ - -

privacy attributes to be associated with information, source, and destination objects are defined;

- + +

privacy attributes to be associated with information, source, and destination objects are defined;

+ - -

information objects to be associated with information security attributes are defined;

- + +

information objects to be associated with information security attributes are defined;

+ - -

information objects to be associated with privacy attributes are defined;

- + +

information objects to be associated with privacy attributes are defined;

+ - -

source objects to be associated with information security attributes are defined;

- + +

source objects to be associated with information security attributes are defined;

+ - -

source objects to be associated with privacy attributes are defined;

- + +

source objects to be associated with privacy attributes are defined;

+ - -

destination objects to be associated with information security attributes are defined;

- + +

destination objects to be associated with information security attributes are defined;

+ - -

destination objects to be associated with privacy attributes are defined;

- + +

destination objects to be associated with privacy attributes are defined;

+ - -

information flow control policies as a basis for enforcement of flow control decisions are defined;

- + +

information flow control policies as a basis for enforcement of flow control decisions are defined;

+ - + -

Use associated with to enforce as a basis for flow control decisions.

+

Use associated with to enforce as a basis for flow control decisions.

Information flow enforcement mechanisms compare security and privacy attributes associated with information (i.e., data content and structure) and source and destination objects and respond appropriately when the enforcement mechanisms encounter information flows not explicitly allowed by information flow policies. For example, an information object labeled Secret would be allowed to flow to a destination object labeled Secret, but an information object labeled Top Secret would not be allowed to flow to a destination object labeled Secret. A dataset of personally identifiable information may be tagged with restrictions against combining with other types of datasets and, thus, would not be allowed to flow to the restricted dataset. Security and privacy attributes can also include source and destination addresses employed in traffic filter firewalls. Flow enforcement using explicit security or privacy attributes can be used, for example, to control the release of certain types of information.

@@ -3070,13 +2910,11 @@ -

- associated with , , and are used to enforce as a basis for flow control decisions;

+

associated with , , and are used to enforce as a basis for flow control decisions;

 -

- associated with , , and are used to enforce as a basis for flow control decisions.

+

associated with , , and are used to enforce as a basis for flow control decisions.

 @@ -3119,27 +2957,25 @@ - -

information flow control policies to be enforced by use of protected processing domains are defined;

- + +

information flow control policies to be enforced by use of protected processing domains are defined;

+ - + -

Use protected processing domains to enforce as a basis for flow control decisions.

+

Use protected processing domains to enforce as a basis for flow control decisions.

Protected processing domains within systems are processing spaces that have controlled interactions with other processing spaces, enabling control of information flows between these spaces and to/from information objects. A protected processing domain can be provided, for example, by implementing domain and type enforcement. In domain and type enforcement, system processes are assigned to domains, information is identified by types, and information flows are controlled based on allowed information accesses (i.e., determined by domain and type), allowed signaling among domains, and allowed process transitions to other domains.

 -

protected processing domains are used to enforce as a basis for flow control decisions.

+

protected processing domains are used to enforce as a basis for flow control decisions.

 @@ -3178,28 +3014,25 @@ - -

information flow control policies to be enforced are defined;

- + +

information flow control policies to be enforced are defined;

+ - + -

Enforce .

+

Enforce .

Organizational policies regarding dynamic information flow control include allowing or disallowing information flows based on changing conditions or mission or operational considerations. Changing conditions include changes in risk tolerance due to changes in the immediacy of mission or business needs, changes in the threat environment, and detection of potentially harmful or adverse events.

 -

- are enforced.

+

are enforced.

 @@ -3239,9 +3072,9 @@ - -

information flow control mechanisms that encrypted information is prevented from bypassing are defined;

- + +

information flow control mechanisms that encrypted information is prevented from bypassing are defined;

+ @@ -3250,9 +3083,7 @@ decrypting the information blocking the flow of the encrypted information terminating communications sessions attempting to pass encrypted information - - - + @@ -3260,27 +3091,25 @@ - -

the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);

- + +

the organization-defined procedure or method used to prevent encrypted information from bypassing information flow control mechanisms is defined (if selected);

+ - + -

Prevent encrypted information from bypassing by .

+

Prevent encrypted information from bypassing by .

Flow control mechanisms include content checking, security policy filters, and data type identifiers. The term encryption is extended to cover encoded data not recognized by filtering mechanisms.

 -

encrypted information is prevented from bypassing by .

+

encrypted information is prevented from bypassing by .

 @@ -3319,27 +3148,24 @@ - -

limitations on embedding data types within other data types are defined;

- + +

limitations on embedding data types within other data types are defined;

+ - + -

Enforce on embedding data types within other data types.

+

Enforce on embedding data types within other data types.

Embedding data types within other data types may result in reduced flow control effectiveness. Data type embedding includes inserting files as objects within other files and using compressed or archived data types that may include multiple embedded data types. Limitations on data type embedding consider the levels of embedding and prohibit levels of data type embedding that are beyond the capability of the inspection tools.

 -

- are enforced on embedding data types within other data types.

+

are enforced on embedding data types within other data types.

 @@ -3378,28 +3204,26 @@ - -

metadata on which to base enforcement of information flow control is defined;

- + +

metadata on which to base enforcement of information flow control is defined;

+ - + -

Enforce information flow control based on .

+

Enforce information flow control based on .

Metadata is information that describes the characteristics of data. Metadata can include structural metadata describing data structures or descriptive metadata describing data content. Enforcement of allowed information flows based on metadata enables simpler and more effective flow control. Organizations consider the trustworthiness of metadata regarding data accuracy (i.e., knowledge that the metadata values are correct with respect to the data), data integrity (i.e., protecting against unauthorized changes to metadata tags), and the binding of metadata to the data payload (i.e., employing sufficiently strong binding techniques with appropriate assurance).

 -

information flow control enforcement is based on .

+

information flow control enforcement is based on .

 @@ -3438,9 +3262,7 @@ - +

Enforce one-way information flows through hardware-based flow control mechanisms.

@@ -3487,59 +3309,47 @@ Security and Privacy Policy Filters - - + + - - + + - - + + - -

security policy filters to be used as a basis for enforcing information flow control are defined;

- + +

security policy filters to be used as a basis for enforcing information flow control are defined;

+ - -

privacy policy filters to be used as a basis for enforcing information flow control are defined;

- + +

privacy policy filters to be used as a basis for enforcing information flow control are defined;

+ - -

information flows for which information flow control is enforced by security filters are defined;

- + +

information flows for which information flow control is enforced by security filters are defined;

+ - -

information flows for which information flow control is enforced by privacy filters are defined;

- + +

information flows for which information flow control is enforced by privacy filters are defined;

+ @@ -3554,33 +3364,30 @@ - -

security policy identifying actions to be taken after a filter processing failure are defined;

- + +

security policy identifying actions to be taken after a filter processing failure are defined;

+ - -

privacy policy identifying actions to be taken after a filter processing failure are defined;

- + +

privacy policy identifying actions to be taken after a filter processing failure are defined;

+ - + -

Enforce information flow control using as a basis for flow control decisions for ; and

+

Enforce information flow control using as a basis for flow control decisions for ; and

 -

- data after a filter processing failure in accordance with .

+

data after a filter processing failure in accordance with .

 @@ -3592,19 +3399,17 @@ -

information flow control is enforced using as a basis for flow control decisions for ;

+

information flow control is enforced using as a basis for flow control decisions for ;

 -

information flow control is enforced using as a basis for flow control decisions for ;

+

information flow control is enforced using as a basis for flow control decisions for ;

 -

- data after a filter processing failure in accordance with ;

-

- data after a filter processing failure in accordance with .

+

data after a filter processing failure in accordance with ;

+

data after a filter processing failure in accordance with .

 @@ -3648,37 +3453,33 @@ - -

information flows requiring the use of human reviews are defined;

- + +

information flows requiring the use of human reviews are defined;

+ - -

conditions under which the use of human reviews for information flows are to be enforced are defined;

- + +

conditions under which the use of human reviews for information flows are to be enforced are defined;

+ - - + + -

Enforce the use of human reviews for under the following conditions: .

+

Enforce the use of human reviews for under the following conditions: .

Organizations define security or privacy policy filters for all situations where automated flow control decisions are possible. When a fully automated flow control decision is not possible, then a human review may be employed in lieu of or as a complement to automated security or privacy policy filtering. Human reviews may also be employed as deemed necessary by organizations.

 -

human reviews are used for under .

+

human reviews are used for under .

 @@ -3719,60 +3520,50 @@ Enable and Disable Security or Privacy Policy Filters - - + + - - + + - -

security policy filters that privileged administrators have the capability to enable and disable are defined;

- + +

security policy filters that privileged administrators have the capability to enable and disable are defined;

+ - -

privacy policy filters that privileged administrators have the capability to enable and disable are defined;

- + +

privacy policy filters that privileged administrators have the capability to enable and disable are defined;

+ - -

conditions under which privileged administrators have the capability to enable and disable security policy filters are defined;

- + +

conditions under which privileged administrators have the capability to enable and disable security policy filters are defined;

+ - -

conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined;

- + +

conditions under which privileged administrators have the capability to enable and disable privacy policy filters are defined;

+ - + -

Provide the capability for privileged administrators to enable and disable under the following conditions: .

+

Provide the capability for privileged administrators to enable and disable under the following conditions: .

For example, as allowed by the system authorization, administrators can enable security or privacy policy filters to accommodate approved data types. Administrators also have the capability to select the filters that are executed on a specific data flow based on the type of data that is being transferred, the source and destination security domains, and other security or privacy relevant features, as needed.

@@ -3781,11 +3572,11 @@ -

capability is provided for privileged administrators to enable and disable under ;

+

capability is provided for privileged administrators to enable and disable under ;

 -

capability is provided for privileged administrators to enable and disable under .

+

capability is provided for privileged administrators to enable and disable under .

 @@ -3828,37 +3619,31 @@ Configuration of Security or Privacy Policy Filters - - + + - -

security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;

- + +

security policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;

+ - -

privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;

- + +

privacy policy filters that privileged administrators have the capability to configure to support different security and privacy policies are defined;

+ - + -

Provide the capability for privileged administrators to configure to support different security or privacy policies.

+

Provide the capability for privileged administrators to configure to support different security or privacy policies.

Documentation contains detailed information for configuring security or privacy policy filters. For example, administrators can configure security or privacy policy filters to include the list of inappropriate words that security or privacy policy mechanisms check in accordance with the definitions provided by organizations.

@@ -3867,11 +3652,11 @@ -

capability is provided for privileged administrators to configure to support different security or privacy policies;

+

capability is provided for privileged administrators to configure to support different security or privacy policies;

 -

capability is provided for privileged administrators to configure to support different security or privacy policies.

+

capability is provided for privileged administrators to configure to support different security or privacy policies.

 @@ -3916,26 +3701,24 @@ - -

data type identifiers to be used to validate data essential for information flow decisions are defined;

- + +

data type identifiers to be used to validate data essential for information flow decisions are defined;

+ - + -

When transferring information between different security domains, use to validate data essential for information flow decisions.

+

When transferring information between different security domains, use to validate data essential for information flow decisions.

Data type identifiers include filenames, file types, file signatures or tokens, and multiple internal file signatures or tokens. Systems only allow transfer of data that is compliant with data type format specifications. Identification and validation of data types is based on defined specifications associated with each allowed data format. The filename and number alone are not used for data type identification. Content is validated syntactically and semantically against its specification to ensure that it is the proper data type.

 -

when transferring information between different security domains, are used to validate data essential for information flow decisions.

+

when transferring information between different security domains, are used to validate data essential for information flow decisions.

 @@ -3975,26 +3758,24 @@ - -

policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined;

- + +

policy-relevant subcomponents into which to decompose information for submission to policy enforcement mechanisms are defined;

+ - + -

When transferring information between different security domains, decompose information into for submission to policy enforcement mechanisms.

+

When transferring information between different security domains, decompose information into for submission to policy enforcement mechanisms.

Decomposing information into policy-relevant subcomponents prior to information transfer facilitates policy decisions on source, destination, certificates, classification, attachments, and other security- or privacy-related component differentiators. Policy enforcement mechanisms apply filtering, inspection, and/or sanitization rules to the policy-relevant subcomponents of information to facilitate flow enforcement prior to transferring such information to different security domains.

 -

when transferring information between different security domains, information is decomposed into for submission to policy enforcement mechanisms.

+

when transferring information between different security domains, information is decomposed into for submission to policy enforcement mechanisms.

 @@ -4030,37 +3811,31 @@ Security or Privacy Policy Filter Constraints - - + + - -

security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined;

- + +

security policy filters to be implemented that require fully enumerated formats restricting data structure and content have been defined;

+ - -

privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined;

- + +

privacy policy filters to be implemented that require fully enumerated formats restricting data structure and content are defined;

+ - + -

When transferring information between different security domains, implement requiring fully enumerated formats that restrict data structure and content.

+

When transferring information between different security domains, implement requiring fully enumerated formats that restrict data structure and content.

Data structure and content restrictions reduce the range of potential malicious or unsanctioned content in cross-domain transactions. Security or privacy policy filters that restrict data structures include restricting file sizes and field lengths. Data content policy filters include encoding formats for character sets, restricting character data fields to only contain alpha-numeric characters, prohibiting special characters, and validating schema structures.

@@ -4069,11 +3844,11 @@ -

when transferring information between different security domains, implemented require fully enumerated formats that restrict data structure and content;

+

when transferring information between different security domains, implemented require fully enumerated formats that restrict data structure and content;

 -

when transferring information between different security domains, implemented require fully enumerated formats that restrict data structure and content.

+

when transferring information between different security domains, implemented require fully enumerated formats that restrict data structure and content.

 @@ -4115,46 +3890,40 @@ Detection of Unsanctioned Information - - + + - -

unsanctioned information to be detected is defined;

- + +

unsanctioned information to be detected is defined;

+ - -

security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined (if selected);

- + +

security policy that requires the transfer of unsanctioned information between different security domains to be prohibited is defined (if selected);

+ - -

privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined (if selected);

- + +

privacy policy that requires the transfer of organization-defined unsanctioned information between different security domains to be prohibited is defined (if selected);

+ - + -

When transferring information between different security domains, examine the information for the presence of and prohibit the transfer of such information in accordance with the .

+

When transferring information between different security domains, examine the information for the presence of and prohibit the transfer of such information in accordance with the .

Unsanctioned information includes malicious code, information that is inappropriate for release from the source network, or executable code that could disrupt or harm the services or systems on the destination network.

@@ -4163,15 +3932,15 @@ -

when transferring information between different security domains, information is examined for the presence of ;

+

when transferring information between different security domains, information is examined for the presence of ;

 -

when transferring information between different security domains, transfer of is prohibited in accordance with the ;

+

when transferring information between different security domains, transfer of is prohibited in accordance with the ;

 -

when transferring information between different security domains, transfer of is prohibited in accordance with the .

+

when transferring information between different security domains, transfer of is prohibited in accordance with the .

 @@ -4227,22 +3996,20 @@ - + -

Uniquely identify and authenticate source and destination points by for information transfer.

+

Uniquely identify and authenticate source and destination points by for information transfer.

Attribution is a critical component of a security and privacy concept of operations. The ability to identify source and destination points for information flowing within systems allows the forensic reconstruction of events and encourages policy compliance by attributing policy violations to specific organizations or individuals. Successful domain authentication requires that system labels distinguish among systems, organizations, and individuals involved in preparing, sending, receiving, or disseminating information. Attribution also allows organizations to better maintain the lineage of personally identifiable information processing as it flows through systems and can facilitate consent tracking, as well as correction, deletion, or access requests from individuals.

 -

source and destination points are uniquely identified and authenticated by for information transfer.

+

source and destination points are uniquely identified and authenticated by for information transfer.

 @@ -4289,37 +4056,31 @@ Validation of Metadata - - + + - -

security policy filters to be implemented on metadata are defined (if selected);

- + +

security policy filters to be implemented on metadata are defined (if selected);

+ - -

privacy policy filters to be implemented on metadata are defined (if selected);

- + +

privacy policy filters to be implemented on metadata are defined (if selected);

+ - + -

When transferring information between different security domains, implement on metadata.

+

When transferring information between different security domains, implement on metadata.

All information (including metadata and the data to which the metadata applies) is subject to filtering and inspection. Some organizations distinguish between metadata and data payloads (i.e., only the data to which the metadata is bound). Other organizations do not make such distinctions and consider metadata and the data to which the metadata applies to be part of the payload.

@@ -4328,11 +4089,11 @@ -

when transferring information between different security domains, are implemented on metadata;

+

when transferring information between different security domains, are implemented on metadata;

 -

when transferring information between different security domains, are implemented on metadata.

+

when transferring information between different security domains, are implemented on metadata.

 @@ -4377,35 +4138,32 @@ - -

solutions in approved configurations to control the flow of information across security domains are defined;

- + +

solutions in approved configurations to control the flow of information across security domains are defined;

+ - -

information to be controlled when it flows across security domains is defined;

- + +

information to be controlled when it flows across security domains is defined;

+ - + -

Employ to control the flow of across security domains.

+

Employ to control the flow of across security domains.

 -

Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact ncdsmo@nsa.gov for more information.

+

Organizations define approved solutions and configurations in cross-domain policies and guidance in accordance with the types of information flows across classification boundaries. The National Security Agency (NSA) National Cross Domain Strategy and Management Office provides a listing of approved cross-domain solutions. Contact ncdsmo@nsa.gov for more information.

 -

- are employed to control the flow of across security domains.

+

are employed to control the flow of across security domains.

 @@ -4443,52 +4201,42 @@ Physical or Logical Separation of Information Flows - - + + - -

mechanisms and/or techniques used to logically separate information flows are defined (if selected);

- + +

mechanisms and/or techniques used to logically separate information flows are defined (if selected);

+ - -

mechanisms and/or techniques used to physically separate information flows are defined (if selected);

- + +

mechanisms and/or techniques used to physically separate information flows are defined (if selected);

+ - + - -

required separations by types of information are defined;

- + +

required separations by types of information are defined;

+ - - + + -

Separate information flows logically or physically using to accomplish .

+

Separate information flows logically or physically using to accomplish .

Enforcing the separation of information flows associated with defined types of data can enhance protection by ensuring that information is not commingled while in transit and by enabling flow control by transmission paths that are not otherwise achievable. Types of separable information include inbound and outbound communications traffic, service requests and responses, and information of differing security impact or classification levels.

@@ -4497,11 +4245,11 @@ -

information flows are separated logically using to accomplish ;

+

information flows are separated logically using to accomplish ;

 -

information flows are separated physically using to accomplish .

+

information flows are separated physically using to accomplish .

 @@ -4543,9 +4291,7 @@ - +

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.

@@ -4593,29 +4339,25 @@ - -

modification action implemented on non-releasable information is defined;

- + +

modification action implemented on non-releasable information is defined;

+ - - + + -

When transferring information between different security domains, modify non-releasable information by implementing .

+

When transferring information between different security domains, modify non-releasable information by implementing .

Modifying non-releasable information can help prevent a data spill or attack when information is transferred across security domains. Modification actions include masking, permutation, alteration, removal, or redaction.

 -

when transferring information between security domains, non-releasable information is modified by implementing .

+

when transferring information between security domains, non-releasable information is modified by implementing .

 @@ -4652,9 +4394,7 @@ - +

When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

@@ -4717,27 +4457,25 @@ - -

policy for sanitizing data is defined;

- + +

policy for sanitizing data is defined;

+ - + -

When transferring information between different security domains, sanitize data to minimize in accordance with .

+

When transferring information between different security domains, sanitize data to minimize in accordance with .

Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form.

 -

when transferring information between different security domains, data is sanitized to minimize in accordance with .

+

when transferring information between different security domains, data is sanitized to minimize in accordance with .

 @@ -4774,12 +4512,8 @@ - - + + @@ -4788,7 +4522,7 @@

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

 -

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in AU-2 . Audit records are generated in AU-12.

+

Content filtering is the process of inspecting information as it traverses a cross-domain solution and determines if the information meets a predefined policy. Content filtering actions and the results of filtering actions are recorded for individual messages to ensure that the correct filter actions were applied. Content filter reports are used to assist in troubleshooting actions by, for example, determining why message content was modified and/or why it failed the filtering process. Audit events are defined in AU-2 . Audit records are generated in AU-12.

 @@ -4838,9 +4572,7 @@ - +

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

@@ -4887,9 +4619,7 @@ - +

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

@@ -4938,19 +4668,15 @@ - -

policy for content-filtering actions is defined;

- + +

policy for content-filtering actions is defined;

+ - - + +

When transferring information between different security domains, employ content filter orchestration engines to ensure that:

@@ -4960,7 +4686,7 @@ -

Content filtering actions occur in the correct order and comply with .

+

Content filtering actions occur in the correct order and comply with .

 @@ -4980,7 +4706,7 @@ -

when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with .

+

when transferring information between security domains, content filter orchestration engines are employed to ensure that content-filtering actions comply with .

 @@ -5020,9 +4746,7 @@ - +

When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

@@ -5070,9 +4794,7 @@ - +

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

@@ -5119,9 +4841,7 @@ - +

When transferring information between different security domains, the process that transfers information between filter pipelines:

@@ -5200,21 +4920,17 @@ Separation of Duties - + - -

duties of individuals requiring separation are defined;

- + +

duties of individuals requiring separation are defined;

+ - + @@ -5234,7 +4950,7 @@ -

Identify and document ; and

+

Identify and document ; and

 @@ -5242,14 +4958,13 @@ -

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.

+

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2 , access control mechanisms in AC-3 , and identity management activities in IA-2, IA-4 , and IA-12.

 -

- are identified and documented;

+

are identified and documented;

 @@ -5292,9 +5007,7 @@ - + @@ -5349,15 +5062,9 @@ Authorize Access to Security Functions - - - + + + @@ -5365,45 +5072,43 @@ - -

individuals and roles with authorized access to security functions and security-relevant information are defined;

- + +

individuals and roles with authorized access to security functions and security-relevant information are defined;

+ - -

security functions (deployed in hardware) for authorized access are defined;

- + +

security functions (deployed in hardware) for authorized access are defined;

+ - -

security functions (deployed in software) for authorized access are defined;

- + +

security functions (deployed in software) for authorized access are defined;

+ - -

security functions (deployed in firmware) for authorized access are defined;

- + +

security functions (deployed in firmware) for authorized access are defined;

+ - -

security-relevant information for authorized access is defined;

- + +

security-relevant information for authorized access is defined;

+ - + @@ -5411,16 +5116,14 @@ -

Authorize access for to:

+

Authorize access for to:

-

- ; and

+

; and

 -

- .

+

.

 @@ -5432,20 +5135,20 @@ -

access is authorized for to ;

+

access is authorized for to ;

 -

access is authorized for to ;

+

access is authorized for to ;

 -

access is authorized for to ;

+

access is authorized for to ;

 -

access is authorized for to .

+

access is authorized for to .

 @@ -5484,30 +5187,28 @@ - -

security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;

- + +

security functions or security-relevant information, the access to which requires users to use non-privileged accounts to access non-security functions, are defined;

+ - + -

Require that users of system accounts (or roles) with access to use non-privileged accounts or roles, when accessing nonsecurity functions.

+

Require that users of system accounts (or roles) with access to use non-privileged accounts or roles, when accessing nonsecurity functions.

Requiring the use of non-privileged accounts when accessing nonsecurity functions limits exposure when operating from within privileged accounts or roles. The inclusion of roles addresses situations where organizations implement access control policies, such as role-based access control, and where a change of role provides the same degree of assurance in the change of access authorizations for the user and the processes acting on behalf of the user as would be provided by a change between a privileged and non-privileged account.

 -

users of system accounts (or roles) with access to are required to use non-privileged accounts or roles when accessing non-security functions.

+

users of system accounts (or roles) with access to are required to use non-privileged accounts or roles when accessing non-security functions.

 @@ -5545,30 +5246,28 @@ - -

privileged commands to which network access is to be authorized only for compelling operational needs are defined;

- + +

privileged commands to which network access is to be authorized only for compelling operational needs are defined;

+ - -

compelling operational needs necessitating network access to privileged commands are defined;

- + +

compelling operational needs necessitating network access to privileged commands are defined;

+ - + -

Authorize network access to only for and document the rationale for such access in the security plan for the system.

+

Authorize network access to only for and document the rationale for such access in the security plan for the system.

Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

@@ -5577,7 +5276,7 @@ -

network access to is authorized only for ;

+

network access to is authorized only for ;

 @@ -5618,12 +5317,8 @@ - - + + @@ -5677,29 +5372,27 @@ - -

personnel or roles to which privileged accounts on the system are to be restricted is/are defined;

- + +

personnel or roles to which privileged accounts on the system are to be restricted is/are defined;

+ - + -

Restrict privileged accounts on the system to .

+

Restrict privileged accounts on the system to .

Privileged accounts, including super user accounts, are typically described as system administrator for various types of commercial off-the-shelf operating systems. Restricting privileged accounts to specific personnel or roles prevents day-to-day users from accessing privileged information or privileged functions. Organizations may differentiate in the application of restricting privileged accounts between allowed privileges for local accounts and for domain accounts provided that they retain the ability to control system configurations for key parameters and as otherwise necessary to sufficiently mitigate risk.

 -

privileged accounts on the system are restricted to .

+

privileged accounts on the system are restricted to .

 @@ -5737,9 +5430,7 @@ - + @@ -5792,31 +5483,29 @@ - -

the frequency at which to review the privileges assigned to roles or classes of users is defined;

- + +

the frequency at which to review the privileges assigned to roles or classes of users is defined;

+ - -

roles or classes of users to which privileges are assigned are defined;

- + +

roles or classes of users to which privileges are assigned are defined;

+ - + -

Review the privileges assigned to to validate the need for such privileges; and

+

Review the privileges assigned to to validate the need for such privileges; and

 @@ -5830,7 +5519,7 @@ -

privileges assigned to are reviewed to validate the need for such privileges;

+

privileges assigned to are reviewed to validate the need for such privileges;

 @@ -5876,27 +5565,24 @@ - -

software to be prevented from executing at higher privilege levels than users executing the software is defined;

- + +

software to be prevented from executing at higher privilege levels than users executing the software is defined;

+ - + -

Prevent the following software from executing at higher privilege levels than users executing the software: .

+

Prevent the following software from executing at higher privilege levels than users executing the software: .

In certain situations, software applications or programs need to execute with elevated privileges to perform required functions. However, depending on the software functionality and configuration, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications or programs, those users may indirectly be provided with greater privileges than assigned.

 -

- is prevented from executing at higher privilege levels than users executing the software.

+

is prevented from executing at higher privilege levels than users executing the software.

 @@ -5935,9 +5621,7 @@ - + @@ -5990,15 +5674,13 @@ - +

Prevent non-privileged users from executing privileged functions.

 -

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.

+

Privileged functions include disabling, circumventing, or altering implemented security or privacy controls, establishing system accounts, performing system integrity checks, and administering cryptographic key management activities. Non-privileged users are individuals who do not possess appropriate authorizations. Privileged functions that require protection from non-privileged users include circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms. Preventing non-privileged users from executing privileged functions is enforced by AC-3.

 @@ -6042,62 +5724,57 @@ - -

the number of consecutive invalid logon attempts by a user allowed during a time period is defined;

- + +

the number of consecutive invalid logon attempts by a user allowed during a time period is defined;

+ - -

the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;

- + +

the time period to which the number of consecutive invalid logon attempts by a user is limited is defined;

+ - -

time period for an account or node to be locked is defined (if selected);

- + +

time period for an account or node to be locked is defined (if selected);

+ - -

delay algorithm for the next logon prompt is defined (if selected);

- + +

delay algorithm for the next logon prompt is defined (if selected);

+ - -

other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

- + +

other action to be taken when the maximum number of unsuccessful attempts is exceeded is defined (if selected);

+ - + @@ -6108,11 +5785,11 @@ -

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

+

Enforce a limit of consecutive invalid logon attempts by a user during a ; and

 -

Automatically when the maximum number of unsuccessful attempts is exceeded.

+

Automatically when the maximum number of unsuccessful attempts is exceeded.

 @@ -6122,11 +5799,11 @@ -

a limit of consecutive invalid logon attempts by a user during is enforced;

+

a limit of consecutive invalid logon attempts by a user during is enforced;

 -

automatically when the maximum number of unsuccessful attempts is exceeded.

+

automatically when the maximum number of unsuccessful attempts is exceeded.

 @@ -6172,48 +5849,44 @@ - -

mobile devices to be purged or wiped of information are defined;

- + +

mobile devices to be purged or wiped of information are defined;

+ - + - -

purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;

- + +

purging or wiping requirements and techniques to be used when mobile devices are purged or wiped of information are defined;

+ - -

the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined;

- + +

the number of consecutive, unsuccessful logon attempts before the information is purged or wiped from mobile devices is defined;

+ - + -

Purge or wipe information from based on after consecutive, unsuccessful device logon attempts.

+

Purge or wipe information from based on after consecutive, unsuccessful device logon attempts.

A mobile device is a computing device that has a small form factor such that it can be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Purging or wiping the device applies only to mobile devices for which the organization-defined number of unsuccessful logons occurs. The logon is to the mobile device, not to any one account on the device. Successful logons to accounts on mobile devices reset the unsuccessful logon count to zero. Purging or wiping may be unnecessary if the information on the device is protected with sufficiently strong encryption mechanisms.

 -

information is purged or wiped from based on after consecutive, unsuccessful device logon attempts.

+

information is purged or wiped from based on after consecutive, unsuccessful device logon attempts.

 @@ -6252,27 +5925,25 @@ - -

the number of unsuccessful biometric logon attempts is defined;

- + +

the number of unsuccessful biometric logon attempts is defined;

+ - + -

Limit the number of unsuccessful biometric logon attempts to .

+

Limit the number of unsuccessful biometric logon attempts to .

Biometrics are probabilistic in nature. The ability to successfully authenticate can be impacted by many factors, including matching performance and presentation attack detection mechanisms. Organizations select the appropriate number of attempts for users based on organizationally-defined factors.

 -

unsuccessful biometric logon attempts are limited to .

+

unsuccessful biometric logon attempts are limited to .

 @@ -6309,45 +5980,41 @@ - -

authentication factors allowed to be used that are different from the primary authentication factors are defined;

- + +

authentication factors allowed to be used that are different from the primary authentication factors are defined;

+ - -

the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined;

- + +

the number of consecutive, invalid logon attempts through the use of alternative factors for which to enforce a limit by a user is defined;

+ - -

time period during which a user can attempt logons through alternative factors is defined;

- + +

time period during which a user can attempt logons through alternative factors is defined;

+ - - + + -

Allow the use of that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and

+

Allow the use of that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and

 -

Enforce a limit of consecutive invalid logon attempts through use of the alternative factors by a user during a .

+

Enforce a limit of consecutive invalid logon attempts through use of the alternative factors by a user during a .

 @@ -6357,12 +6024,11 @@ -

- that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;

+

that are different from the primary authentication factors are allowed to be used after the number of organization-defined consecutive invalid logon attempts have been exceeded;

 -

a limit of consecutive invalid logon attempts through the use of the alternative factors by the user during a is enforced.

+

a limit of consecutive invalid logon attempts through the use of the alternative factors by the user during a is enforced.

 @@ -6399,39 +6065,33 @@ System Use Notification - + - -

system use notification message or banner to be displayed by the system to users before granting access to the system is defined;

- + +

system use notification message or banner to be displayed by the system to users before granting access to the system is defined;

+ - -

conditions for system use to be displayed by the system before granting further access are defined;

- + +

conditions for system use to be displayed by the system before granting further access are defined;

+ - - + + -

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

+

Display to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:

Users are accessing a U.S. Government system;

@@ -6458,7 +6118,7 @@

For publicly accessible systems:

-

Display system use information , before granting further access to the publicly accessible system;

+

Display system use information , before granting further access to the publicly accessible system;

 @@ -6477,8 +6137,7 @@ -

- is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

is displayed to users before granting access to the system that provides privacy and security notices consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

the system use notification states that users are accessing a U.S. Government system;

@@ -6504,7 +6163,7 @@ -

for publicly accessible systems, system use information is displayed before granting further access to the publicly accessible system;

+

for publicly accessible systems, system use information is displayed before granting further access to the publicly accessible system;

 @@ -6558,9 +6217,7 @@ - + @@ -6607,9 +6264,7 @@ - +

Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

@@ -6666,26 +6321,24 @@ - -

the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined;

- + +

the time period for which the system notifies the user of the number of successful logons, unsuccessful logon attempts, or both is defined;

+ - + -

Notify the user, upon successful logon, of the number of during .

+

Notify the user, upon successful logon, of the number of during .

Information about the number of successful and unsuccessful logon attempts within a specified time period allows the user to recognize if the number and type of logon attempts are consistent with the user’s actual logon attempts.

 -

the user is notified, upon successful logon, of the number of during .

+

the user is notified, upon successful logon, of the number of during .

 @@ -6721,39 +6374,35 @@ Notification of Account Changes - + - -

changes to security-related characteristics or parameters of the user’s account that require notification are defined;

- + +

changes to security-related characteristics or parameters of the user’s account that require notification are defined;

+ - -

the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined;

- + +

the time period for which the system notifies the user of changes to security-related characteristics or parameters of the user’s account is defined;

+ - + -

Notify the user, upon successful logon, of changes to during .

+

Notify the user, upon successful logon, of changes to during .

Information about changes to security-related account characteristics within a specified time period allows users to recognize if changes were made without their knowledge.

 -

the user is notified, upon successful logon, of changes to during .

+

the user is notified, upon successful logon, of changes to during .

 @@ -6791,26 +6440,24 @@ - -

additional information about which to notify the user is defined;

- + +

additional information about which to notify the user is defined;

+ - + -

Notify the user, upon successful logon, of the following additional information: .

+

Notify the user, upon successful logon, of the following additional information: .

Organizations can specify additional information to be provided to users upon logon, including the location of the last logon. User location is defined as information that can be determined by systems, such as Internet Protocol (IP) addresses from which network logons occurred, notifications of local logons, or device identifiers.

 -

the user is notified, upon successful logon, of .

+

the user is notified, upon successful logon, of .

 @@ -6847,39 +6494,35 @@ Concurrent Session Control - + - -

accounts and/or account types for which to limit the number of concurrent sessions is defined;

- + +

accounts and/or account types for which to limit the number of concurrent sessions is defined;

+ - -

the number of concurrent sessions to be allowed for each account and/or account type is defined;

- + +

the number of concurrent sessions to be allowed for each account and/or account type is defined;

+ - + -

Limit the number of concurrent sessions for each to .

+

Limit the number of concurrent sessions for each to .

Organizations may define the maximum number of concurrent sessions for system accounts globally, by account type, by account, or any combination thereof. For example, organizations may limit the number of concurrent sessions for system administrators or other individuals working in particularly sensitive domains or mission-critical applications. Concurrent session control addresses concurrent sessions for system accounts. It does not, however, address concurrent sessions by single users via multiple system accounts.

 -

the number of concurrent sessions for each is limited to .

+

the number of concurrent sessions for each is limited to .

 @@ -6925,16 +6568,14 @@ - -

time period of inactivity after which a device lock is initiated is defined (if selected);

- + +

time period of inactivity after which a device lock is initiated is defined (if selected);

+ - + @@ -6942,7 +6583,7 @@ -

Prevent further access to the system by ; and

+

Prevent further access to the system by ; and

 @@ -6956,7 +6597,7 @@ -

further access to the system is prevented by ;

+

further access to the system is prevented by ;

 @@ -6998,9 +6639,7 @@ - +

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

@@ -7047,33 +6686,29 @@ Session Termination - + - -

conditions or trigger events requiring session disconnect are defined;

- + +

conditions or trigger events requiring session disconnect are defined;

+ - + -

Automatically terminate a user session after .

+

Automatically terminate a user session after .

 -

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

+

Session termination addresses the termination of user-initiated logical sessions (in contrast to SC-10 , which addresses the termination of network connections associated with communications sessions (i.e., network disconnect)). A logical session (for local, network, and remote access) is initiated whenever a user (or process acting on behalf of a user) accesses an organizational system. Such user sessions can be terminated without terminating network sessions. Session termination ends all processes associated with a user’s logical session except for those processes that are specifically created by the user (i.e., session owner) to continue after the session is terminated. Conditions or trigger events that require automatic termination of the session include organization-defined periods of user inactivity, targeted responses to certain types of incidents, or time-of-day restrictions on system use.

 -

a user session is automatically terminated after .

+

a user session is automatically terminated after .

 @@ -7111,29 +6746,25 @@ - -

information resources for which a logout capability for user-initiated communications sessions is required are defined;

- + +

information resources for which a logout capability for user-initiated communications sessions is required are defined;

+ - - + + -

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to .

+

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to .

Information resources to which users gain access via authentication include local workstations, databases, and password-protected websites or web-based services.

 -

a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to .

+

a logout capability is provided for user-initiated communications sessions whenever authentication is used to gain access to .

 @@ -7172,9 +6803,7 @@ - +

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

@@ -7225,26 +6854,24 @@ - -

time until the end of session for display to users is defined;

- + +

time until the end of session for display to users is defined;

+ - + -

Display an explicit message to users indicating that the session will end in .

+

Display an explicit message to users indicating that the session will end in .

 -

To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the AC-12 base control.

+

To increase usability, notify users of pending session termination and prompt users to continue the session. The pending session termination time period is based on the parameters defined in the AC-12 base control.

 -

an explicit message to users is displayed indicating that the session will end in .

+

an explicit message to users is displayed indicating that the session will end in .

 @@ -7294,23 +6921,21 @@ - -

user actions that can be performed on the system without identification or authentication are defined;

- + +

user actions that can be performed on the system without identification or authentication are defined;

+ - + -

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

+

Identify that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and

 @@ -7318,15 +6943,13 @@ -

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none. -

+

Specific user actions may be permitted without identification or authentication if organizations determine that identification and authentication are not required for the specified user actions. Organizations may allow a limited number of user actions without identification or authentication, including when individuals access public websites or other publicly accessible federal systems, when individuals use mobile phones to receive calls, or when facsimiles are received. Organizations identify actions that normally require identification or authentication but may, under certain circumstances, allow identification or authentication mechanisms to be bypassed. Such bypasses may occur, for example, via a software-readable physical switch that commands bypass of the logon functionality and is protected from accidental or unmonitored use. Permitting actions without identification or authentication does not apply to situations where identification and authentication have already occurred and are not repeated but rather to situations where identification and authentication have not yet occurred. Organizations may decide that there are no user actions that can be performed on organizational systems without identification and authentication, and therefore, the value for the assignment operation can be none.

-

- that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;

+

that can be performed on the system without identification or authentication consistent with organizational mission and business functions are identified;

 @@ -7382,146 +7005,118 @@ Security and Privacy Attributes - - + + - - + + - - + + - - + + - - + + - - + + - -

types of security attributes to be associated with information security attribute values for information in storage, in process, and/or in transmission are defined;

- + +

types of security attributes to be associated with information security attribute values for information in storage, in process, and/or in transmission are defined;

+ - -

types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and/or in transmission are defined;

- + +

types of privacy attributes to be associated with privacy attribute values for information in storage, in process, and/or in transmission are defined;

+ - -

security attribute values for types of security attributes are defined;

- + +

security attribute values for types of security attributes are defined;

+ - -

privacy attribute values for types of privacy attributes are defined;

- + +

privacy attribute values for types of privacy attributes are defined;

+ - -

systems for which permitted security attributes are to be established are defined;

- + +

systems for which permitted security attributes are to be established are defined;

+ - -

systems for which permitted privacy attributes are to be established are defined;

- + +

systems for which permitted privacy attributes are to be established are defined;

+ - -

security attributes defined as part of AC-16a that are permitted for systems are defined;

- + +

security attributes defined as part of AC-16a that are permitted for systems are defined;

+ - -

privacy attributes defined as part of AC-16a that are permitted for systems are defined;

- + +

privacy attributes defined as part of AC-16a that are permitted for systems are defined;

+ - + - -

attribute values or ranges for established attributes are defined;

- + +

attribute values or ranges for established attributes are defined;

+ - -

the frequency at which to review security attributes for applicability is defined;

- + +

the frequency at which to review security attributes for applicability is defined;

+ - -

the frequency at which to review privacy attributes for applicability is defined;

- + +

the frequency at which to review privacy attributes for applicability is defined;

+ - + @@ -7546,7 +7141,7 @@ -

Provide the means to associate with for information in storage, in process, and/or in transmission;

+

Provide the means to associate with for information in storage, in process, and/or in transmission;

 @@ -7554,11 +7149,11 @@ -

Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for : ;

+

Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for : ;

 -

Determine the following permitted attribute values or ranges for each of the established attributes: ;

+

Determine the following permitted attribute values or ranges for each of the established attributes: ;

 @@ -7566,13 +7161,13 @@ -

Review for applicability .

+

Review for applicability .

Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are typically associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are typically associated with data structures, such as records, buffers, tables, files, inter-process pipes, and communications ports. Security attributes, a form of metadata, are abstractions that represent the basic properties or characteristics of active and passive entities with respect to safeguarding information. Privacy attributes, which may be used independently or in conjunction with security attributes, represent the basic properties or characteristics of active or passive entities with respect to the management of personally identifiable information. Attributes can be either explicitly or implicitly associated with the information contained in organizational systems or system components.

Attributes may be associated with active entities (i.e., subjects) that have the potential to send or receive information, cause information to flow among objects, or change the system state. These attributes may also be associated with passive entities (i.e., objects) that contain or receive information. The association of attributes to subjects and objects by a system is referred to as binding and is inclusive of setting the attribute value and the attribute type. Attributes, when bound to data or information, permit the enforcement of security and privacy policies for access control and information flow control, including data retention limits, permitted uses of personally identifiable information, and identification of personal information within data objects. Such enforcement occurs through organizational processes or system functions or mechanisms. The binding techniques implemented by systems affect the strength of attribute binding to information. Binding strength and the assurance associated with binding techniques play important parts in the trust that organizations have in the information flow enforcement process. The binding techniques affect the number and degree of additional reviews required by organizations. The content or assigned values of attributes can directly affect the ability of individuals to access organizational information.

-

Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-3 (Media Marking).

+

Organizations can define the types of attributes needed for systems to support missions or business functions. There are many values that can be assigned to a security attribute. By specifying the permitted attribute ranges and values, organizations ensure that attribute values are meaningful and relevant. Labeling refers to the association of attributes with the subjects and objects represented by the internal data structures within systems. This facilitates system-based enforcement of information security and privacy policies. Labels include classification of information in accordance with legal and compliance requirements (e.g., top secret, secret, confidential, controlled unclassified), information impact level; high value asset information, access authorizations, nationality; data life cycle protection (i.e., encryption and data expiration), personally identifiable information processing permissions, including individual consent to personally identifiable information processing, and contractor affiliation. A related term to labeling is marking. Marking refers to the association of attributes with objects in a human-readable form and displayed on system media. Marking enables manual, procedural, or process-based enforcement of information security and privacy policies. Security and privacy labels may have the same value as media markings (e.g., top secret, secret, confidential). See MP-3 (Media Marking).

 @@ -7580,11 +7175,11 @@ -

the means to associate with for information in storage, in process, and/or in transmission are provided;

+

the means to associate with for information in storage, in process, and/or in transmission are provided;

 -

the means to associate with for information in storage, in process, and/or in transmission are provided;

+

the means to associate with for information in storage, in process, and/or in transmission are provided;

 @@ -7602,16 +7197,16 @@ -

the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for : ;

+

the following permitted security attributes are established from the attributes defined in AC-16_ODP[01] for : ;

 -

the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for : ;

+

the following permitted privacy attributes are established from the attributes defined in AC-16_ODP[02] for : ;

 -

the following permitted attribute values or ranges for each of the established attributes are determined: ;

+

the following permitted attribute values or ranges for each of the established attributes are determined: ;

 @@ -7621,13 +7216,11 @@ -

- are reviewed for applicability ;

+

are reviewed for applicability ;

 -

- are reviewed for applicability .

+

are reviewed for applicability .

 @@ -7664,80 +7257,66 @@ Dynamic Attribute Association - - - - + + + + - - + + - -

subjects with which security attributes are to be dynamically associated as information is created and combined are defined;

- + +

subjects with which security attributes are to be dynamically associated as information is created and combined are defined;

+ - -

objects with which security attributes are to be dynamically associated as information is created and combined are defined;

- + +

objects with which security attributes are to be dynamically associated as information is created and combined are defined;

+ - -

subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined;

- + +

subjects with which privacy attributes are to be dynamically associated as information is created and combined are defined;

+ - -

objects with which privacy attributes are to be dynamically associated as information is created and combined are defined;

- + +

objects with which privacy attributes are to be dynamically associated as information is created and combined are defined;

+ - -

security policies requiring dynamic association of security attributes with subjects and objects are defined;

- + +

security policies requiring dynamic association of security attributes with subjects and objects are defined;

+ - -

privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;

- + +

privacy policies requiring dynamic association of privacy attributes with subjects and objects are defined;

+ - + -

Dynamically associate security and privacy attributes with in accordance with the following security and privacy policies as information is created and combined: .

+

Dynamically associate security and privacy attributes with in accordance with the following security and privacy policies as information is created and combined: .

Dynamic association of attributes is appropriate whenever the security or privacy characteristics of information change over time. Attributes may change due to information aggregation issues (i.e., characteristics of individual data elements are different from the combined elements), changes in individual access authorizations (i.e., privileges), changes in the security category of information, or changes in security or privacy policies. Attributes may also change situationally.

@@ -7746,19 +7325,19 @@ -

security attributes are dynamically associated with in accordance with the following security policies as information is created and combined: ;

+

security attributes are dynamically associated with in accordance with the following security policies as information is created and combined: ;

 -

security attributes are dynamically associated with in accordance with the following security policies as information is created and combined: ;

+

security attributes are dynamically associated with in accordance with the following security policies as information is created and combined: ;

 -

privacy attributes are dynamically associated with in accordance with the following privacy policies as information is created and combined: ;

+

privacy attributes are dynamically associated with in accordance with the following privacy policies as information is created and combined: ;

 -

privacy attributes are dynamically associated with in accordance with the following privacy policies as information is created and combined: .

+

privacy attributes are dynamically associated with in accordance with the following privacy policies as information is created and combined: .

 @@ -7797,9 +7376,7 @@ - +

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

@@ -7853,101 +7430,87 @@ Maintenance of Attribute Associations by System - - + + - - - - + + + + - -

security attributes that require association and integrity maintenance are defined;

- + +

security attributes that require association and integrity maintenance are defined;

+ - -

privacy attributes that require association and integrity maintenance are defined;

- + +

privacy attributes that require association and integrity maintenance are defined;

+ - -

subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;

- + +

subjects requiring the association and integrity of security attributes to such subjects to be maintained are defined;

+ - -

objects requiring the association and integrity of security attributes to such objects to be maintained are defined;

- + +

objects requiring the association and integrity of security attributes to such objects to be maintained are defined;

+ - -

subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;

- + +

subjects requiring the association and integrity of privacy attributes to such subjects to be maintained are defined;

+ - -

objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;

- + +

objects requiring the association and integrity of privacy attributes to such objects to be maintained are defined;

+ - + -

Maintain the association and integrity of to .

+

Maintain the association and integrity of to .

 -

Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from known good baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions.

+

Maintaining the association and integrity of security and privacy attributes to subjects and objects with sufficient assurance helps to ensure that the attribute associations can be used as the basis of automated policy actions. The integrity of specific items, such as security configuration files, may be maintained through the use of an integrity monitoring mechanism that detects anomalies and changes that deviate from known good baselines. Automated policy actions include retention date expirations, access control decisions, information flow control decisions, and information disclosure decisions.

 -

the association and integrity of to is maintained;

+

the association and integrity of to is maintained;

 -

the association and integrity of to is maintained.

+

the association and integrity of to is maintained.

 -

the association and integrity of to is maintained;

+

the association and integrity of to is maintained;

 -

the association and integrity of to is maintained.

+

the association and integrity of to is maintained.

 @@ -7983,100 +7546,82 @@ Association of Attributes by Authorized Individuals - - - - + + + + - - - - + + + + - -

security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

security attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

security attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

privacy attributes to be associated with subjects by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

privacy attributes to be associated with objects by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

subjects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

objects requiring the association of security attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

subjects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - -

objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

- + +

objects requiring the association of privacy attributes by authorized individuals (or processes acting on behalf of individuals) are defined;

+ - + -

Provide the capability to associate with by authorized individuals (or processes acting on behalf of individuals).

+

Provide the capability to associate with by authorized individuals (or processes acting on behalf of individuals).

Systems, in general, provide the capability for privileged users to assign security and privacy attributes to system-defined subjects (e.g., users) and objects (e.g., directories, files, and ports). Some systems provide additional capability for general users to assign security and privacy attributes to additional objects (e.g., files, emails). The association of attributes by authorized individuals is described in the design documentation. The support provided by systems can include prompting users to select security and privacy attributes to be associated with information objects, employing automated mechanisms to categorize information with attributes based on defined policies, or ensuring that the combination of the security or privacy attributes selected is valid. Organizations consider the creation, deletion, or modification of attributes when defining auditable events.

@@ -8085,19 +7630,19 @@ -

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ;

+

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ;

 -

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ;

+

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ;

 -

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ;

+

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with ;

 -

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with .

+

authorized individuals (or processes acting on behalf of individuals) are provided with the capability to associate with .

 @@ -8137,35 +7682,29 @@ Attribute Displays on Objects to Be Output - + - -

special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined;

- + +

special dissemination, handling, or distribution instructions to be used for each object that the system transmits to output devices are defined;

+ - + - -

human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined;

- + +

human-readable, standard naming conventions for the security and privacy attributes to be displayed in human-readable form on each object that the system transmits to output devices are defined;

+ - + -

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify using .

+

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify using .

System outputs include printed pages, screens, or equivalent items. System output devices include printers, notebook computers, video displays, smart phones, and tablets. To mitigate the risk of unauthorized exposure of information (e.g., shoulder surfing), the outputs display full attribute values when unmasked by the subscriber.

@@ -8174,11 +7713,11 @@ -

security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify using ;

+

security attributes are displayed in human-readable form on each object that the system transmits to output devices to identify using ;

 -

privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify using .

+

privacy attributes are displayed in human-readable form on each object that the system transmits to output devices to identify using .

 @@ -8216,123 +7755,101 @@ Maintenance of Attribute Association - - - - + + + + - - - - + + + + - - + + - -

security attributes to be associated with subjects are defined;

- + +

security attributes to be associated with subjects are defined;

+ - -

security attributes to be associated with objects are defined;

- + +

security attributes to be associated with objects are defined;

+ - -

privacy attributes to be associated with subjects are defined;

- + +

privacy attributes to be associated with subjects are defined;

+ - -

privacy attributes to be associated with objects are defined;

- + +

privacy attributes to be associated with objects are defined;

+ - -

subjects to be associated with information security attributes are defined;

- + +

subjects to be associated with information security attributes are defined;

+ - -

objects to be associated with information security attributes are defined;

- + +

objects to be associated with information security attributes are defined;

+ - -

subjects to be associated with privacy attributes are defined;

- + +

subjects to be associated with privacy attributes are defined;

+ - -

objects to be associated with privacy attributes are defined;

- + +

objects to be associated with privacy attributes are defined;

+ - -

security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;

- + +

security policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;

+ - -

privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;

- + +

privacy policies that require personnel to associate and maintain the association of security and privacy attributes with subjects and objects;

+ - + -

Require personnel to associate and maintain the association of with in accordance with .

+

Require personnel to associate and maintain the association of with in accordance with .

Maintaining attribute association requires individual users (as opposed to the system) to maintain associations of defined security and privacy attributes with subjects and objects.

@@ -8341,19 +7858,19 @@ -

personnel are required to associate and maintain the association of with in accordance with ;

+

personnel are required to associate and maintain the association of with in accordance with ;

 -

personnel are required to associate and maintain the association of with in accordance with ;

+

personnel are required to associate and maintain the association of with in accordance with ;

 -

personnel are required to associate and maintain the association of with in accordance with ;

+

personnel are required to associate and maintain the association of with in accordance with ;

 -

personnel are required to associate and maintain the association of with in accordance with .

+

personnel are required to associate and maintain the association of with in accordance with .

 @@ -8389,9 +7906,7 @@ - +

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

@@ -8446,39 +7961,33 @@ Association Techniques and Technologies - - + + - -

techniques and technologies to be implemented in associating security attributes to information are defined;

- + +

techniques and technologies to be implemented in associating security attributes to information are defined;

+ - -

techniques and technologies to be implemented in associating privacy attributes to information are defined;

- + +

techniques and technologies to be implemented in associating privacy attributes to information are defined;

+ - + -

Implement in associating security and privacy attributes to information.

+

Implement in associating security and privacy attributes to information.

The association of security and privacy attributes to information within systems is important for conducting automated access enforcement and flow enforcement actions. The association of such attributes to information (i.e., binding) can be accomplished with technologies and techniques that provide different levels of assurance. For example, systems can cryptographically bind attributes to information using digital signatures that support cryptographic keys protected by hardware devices (sometimes known as hardware roots of trust).

@@ -8487,13 +7996,11 @@ -

- are implemented in associating security attributes to information;

+

are implemented in associating security attributes to information;

 -

- are implemented in associating privacy attributes to information.

+

are implemented in associating privacy attributes to information.

 @@ -8530,37 +8037,31 @@ Attribute Reassignment — Regrading Mechanisms - - + + - -

techniques or procedures used to validate regrading mechanisms for security attributes are defined;

- + +

techniques or procedures used to validate regrading mechanisms for security attributes are defined;

+ - -

techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;

- + +

techniques or procedures used to validate regrading mechanisms for privacy attributes are defined;

+ - + -

Change security and privacy attributes associated with information only via regrading mechanisms validated using .

+

Change security and privacy attributes associated with information only via regrading mechanisms validated using .

A regrading mechanism is a trusted process authorized to re-classify and re-label data in accordance with a defined policy exception. Validated regrading mechanisms are used by organizations to provide the requisite levels of assurance for attribute reassignment activities. The validation is facilitated by ensuring that regrading mechanisms are single purpose and of limited function. Since security and privacy attribute changes can directly affect policy enforcement actions, implementing trustworthy regrading mechanisms is necessary to help ensure that such mechanisms perform in a consistent and correct mode of operation.

@@ -8569,11 +8070,11 @@ -

security attributes associated with information are changed only via regrading mechanisms validated using ;

+

security attributes associated with information are changed only via regrading mechanisms validated using ;

 -

privacy attributes associated with information are changed only via regrading mechanisms validated using .

+

privacy attributes associated with information are changed only via regrading mechanisms validated using .

 @@ -8612,9 +8113,7 @@ - +

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

@@ -8670,9 +8169,7 @@ - + @@ -8709,7 +8206,7 @@ -

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

+

Remote access is access to organizational systems (or processes acting on behalf of users) that communicate through external networks such as the Internet. Types of remote access include dial-up, broadband, and wireless. Organizations use encrypted virtual private networks (VPNs) to enhance confidentiality and integrity for remote connections. The use of encrypted VPNs provides sufficient assurance to the organization that it can effectively treat such connections as internal networks if the cryptographic mechanisms used are implemented in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Still, VPN connections traverse external networks, and the encrypted VPN does not enhance the availability of remote connections. VPNs with encrypted tunnels can also affect the ability to adequately monitor network communications traffic for malicious code. Remote access controls apply to systems other than public web servers or systems designed for public access. Authorization of each remote access type addresses authorization prior to allowing remote access without specifying the specific formats for such authorization. While organizations may use information exchange and system connection security agreements to manage remote access connections to other systems, such agreements are addressed as part of CA-3 . Enforcing access restrictions for remote access is addressed via AC-3.

 @@ -8768,12 +8265,8 @@ - - + + @@ -8783,7 +8276,7 @@

Employ automated mechanisms to monitor and control remote access methods.

 -

Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2 . Audit events are defined in AU-2a.

+

Monitoring and control of remote access methods allows organizations to detect attacks and help ensure compliance with remote access policies by auditing the connection activities of remote users on a variety of system components, including servers, notebook computers, workstations, smart phones, and tablets. Audit logging for remote access is enforced by AU-2 . Audit events are defined in AU-2a.

 @@ -8832,9 +8325,7 @@ - + @@ -8885,16 +8376,14 @@ - +

Route remote accesses through authorized and managed network access control points.

 -

Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

+

Organizations consider the Trusted Internet Connections (TIC) initiative DHS TIC requirements for external network connections since limiting the number of access control points for remote access reduces attack surfaces.

 @@ -8933,34 +8422,28 @@ Privileged Commands and Access - - + + - -

needs requiring execution of privileged commands via remote access are defined;

- + +

needs requiring execution of privileged commands via remote access are defined;

+ - -

needs requiring access to security-relevant information via remote access are defined;

- + +

needs requiring access to security-relevant information via remote access are defined;

+ - + @@ -8968,7 +8451,7 @@ -

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ; and

+

Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: ; and

 @@ -8992,11 +8475,11 @@ -

the execution of privileged commands via remote access is authorized only for the following needs: ;

+

the execution of privileged commands via remote access is authorized only for the following needs: ;

 -

access to security-relevant information via remote access is authorized only for the following needs: ;

+

access to security-relevant information via remote access is authorized only for the following needs: ;

 @@ -9046,9 +8529,7 @@ - + @@ -9057,7 +8538,7 @@

Protect information about remote access mechanisms from unauthorized use and disclosure.

 -

Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see PL-4 ) and access agreements (see PS-6).

+

Remote access to organizational information by non-organizational entities can increase the risk of unauthorized use and disclosure about remote access mechanisms. The organization considers including remote access requirements in the information exchange agreements with other organizations, as applicable. Remote access requirements can also be included in rules of behavior (see PL-4 ) and access agreements (see PS-6).

 @@ -9105,26 +8586,24 @@ - -

the time period within which to disconnect or disable remote access to the system is defined;

- + +

the time period within which to disconnect or disable remote access to the system is defined;

+ - + -

Provide the capability to disconnect or disable remote access to the system within .

+

Provide the capability to disconnect or disable remote access to the system within .

The speed of system disconnect or disablement varies based on the criticality of missions or business functions and the need to eliminate immediate or future remote access to systems.

 -

the capability to disconnect or disable remote access to the system within is provided.

+

the capability to disconnect or disable remote access to the system within is provided.

 @@ -9162,38 +8641,35 @@ - -

mechanisms implemented to authenticate remote commands are defined;

- + +

mechanisms implemented to authenticate remote commands are defined;

+ - -

remote commands to be authenticated by mechanisms are defined;

- + +

remote commands to be authenticated by mechanisms are defined;

+ - + -

Implement to authenticate .

+

Implement to authenticate .

Authenticating remote commands protects against unauthorized commands and the replay of authorized commands. The ability to authenticate remote commands is important for remote systems for which loss, malfunction, misdirection, or exploitation would have immediate or serious consequences, such as injury, death, property damage, loss of high value assets, failure of mission or business functions, or compromise of classified or controlled unclassified information. Authentication mechanisms for remote commands ensure that systems accept and execute commands in the order intended, execute only authorized commands, and reject unauthorized commands. Cryptographic mechanisms can be used, for example, to authenticate remote commands.

 -

- are implemented to authenticate .

+

are implemented to authenticate .

 @@ -9231,9 +8707,7 @@ - + @@ -9327,15 +8801,13 @@ - + -

Protect wireless access to the system using authentication of and encryption.

+

Protect wireless access to the system using authentication of and encryption.

Wireless networking capabilities represent a significant potential vulnerability that can be exploited by adversaries. To protect systems with wireless access points, strong authentication of users and devices along with strong encryption can reduce susceptibility to threats by adversaries involving wireless technologies.

@@ -9344,7 +8816,7 @@ -

wireless access to the system is protected using authentication of ;

+

wireless access to the system is protected using authentication of ;

 @@ -9394,12 +8866,8 @@ - - + +

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

@@ -9445,9 +8913,7 @@ - + @@ -9502,9 +8968,7 @@ - + @@ -9561,9 +9025,7 @@ - + @@ -9601,7 +9063,7 @@

A mobile device is a computing device that has a small form factor such that it can easily be carried by a single individual; is designed to operate without a physical connection; possesses local, non-removable or removable data storage; and includes a self-contained power source. Mobile device functionality may also include voice communication capabilities, on-board sensors that allow the device to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones and tablets. Mobile devices are typically associated with a single individual. The processing, storage, and transmission capability of the mobile device may be comparable to or merely a subset of notebook/desktop systems, depending on the nature and intended purpose of the device. Protection and control of mobile devices is behavior or policy-based and requires users to take physical action to protect and control such devices when outside of controlled areas. Controlled areas are spaces for which organizations provide physical or procedural controls to meet the requirements established for protecting information and systems.

Due to the large variety of mobile devices with different characteristics and capabilities, organizational restrictions may vary for the different classes or types of such devices. Usage restrictions and specific implementation guidance for mobile devices include configuration management, device identification and authentication, implementation of mandatory protective software, scanning devices for malicious code, updating virus protection software, scanning for critical software updates and patches, conducting primary operating system (and possibly other resident software) integrity checks, and disabling unnecessary hardware.

-

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.

+

Usage restrictions and authorization to connect may vary among organizational systems. For example, the organization may authorize the connection of mobile devices to its network and impose a set of usage restrictions, while a system owner may withhold authorization for mobile device connection to specific applications or impose additional usage restrictions before allowing mobile device connections to a system. Adequate security for mobile devices goes beyond the requirements specified in AC-19 . Many safeguards for mobile devices are reflected in other controls. AC-20 addresses mobile devices that are not organization-controlled.

 @@ -9687,24 +9149,22 @@ - -

security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;

- + +

security officials responsible for the review and inspection of unclassified mobile devices and the information stored on those devices are defined;

+ - -

security policies restricting the connection of classified mobile devices to classified systems are defined;

- + +

security policies restricting the connection of classified mobile devices to classified systems are defined;

+ - + @@ -9730,12 +9190,12 @@ -

Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by , and if classified information is found, the incident handling policy is followed.

+

Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by , and if classified information is found, the incident handling policy is followed.

 -

Restrict the connection of classified mobile devices to classified systems in accordance with .

+

Restrict the connection of classified mobile devices to classified systems in accordance with .

 @@ -9765,7 +9225,7 @@ -

random review and inspection of unclassified mobile devices and the information stored on those devices by are enforced;

+

random review and inspection of unclassified mobile devices and the information stored on those devices by are enforced;

 @@ -9775,7 +9235,7 @@ -

the connection of classified mobile devices to classified systems is restricted in accordance with .

+

the connection of classified mobile devices to classified systems is restricted in accordance with .

 @@ -9826,30 +9286,27 @@ - -

mobile devices on which to employ encryption are defined;

- + +

mobile devices on which to employ encryption are defined;

+ - + -

Employ to protect the confidentiality and integrity of information on .

+

Employ to protect the confidentiality and integrity of information on .

Container-based encryption provides a more fine-grained approach to data and information encryption on mobile devices, including encrypting selected data structures such as files, records, or fields.

 -

- is employed to protect the confidentiality and integrity of information on .

+

is employed to protect the confidentiality and integrity of information on .

 @@ -9889,48 +9346,40 @@ - -

terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

- + +

terms and conditions consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+ - + - -

controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

- + +

controls asserted to be implemented on external systems consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems are defined (if selected);

+ - + - -

types of external systems prohibited from use are defined;

- + +

types of external systems prohibited from use are defined;

+ - + @@ -9946,8 +9395,7 @@ -

- , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

+

, consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:

Access the system from external systems; and

@@ -9959,13 +9407,13 @@ -

Prohibit the use of .

+

Prohibit the use of .

External systems are systems that are used by but not part of organizational systems, and for which the organization has no direct control over the implementation of required controls or the assessment of control effectiveness. External systems include personally owned systems, components, or devices; privately owned computing and communications devices in commercial or public facilities; systems owned or controlled by nonfederal organizations; systems managed by contractors; and federal information systems that are not owned by, operated by, or under the direct supervision or authority of the organization. External systems also include systems owned or operated by other components within the same organization and systems within the organization with different authorization boundaries. Organizations have the option to prohibit the use of any type of external system or prohibit the use of specified types of external systems, (e.g., prohibit the use of any external system that is not organizationally owned or prohibit the use of personally-owned systems).

For some external systems (i.e., systems operated by other organizations), the trust relationships that have been established between those organizations and the originating organization may be such that no explicit terms and conditions are required. Systems within these organizations may not be considered external. These situations occur when, for example, there are pre-existing information exchange agreements (either implicit or explicit) established between organizations or components or when such agreements are specified by applicable laws, executive orders, directives, regulations, policies, or standards. Authorized individuals include organizational personnel, contractors, or other individuals with authorized access to organizational systems and over which organizations have the authority to impose specific rules of behavior regarding system access. Restrictions that organizations impose on authorized individuals need not be uniform, as the restrictions may vary depending on trust relationships between organizations. Therefore, organizations may choose to impose different security restrictions on contractors than on state, local, or tribal governments.

-

External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

+

External systems used to access public interfaces to organizational systems are outside the scope of AC-20 . Organizations establish specific terms and conditions for the use of external systems in accordance with organizational security policies and procedures. At a minimum, terms and conditions address the specific types of applications that can be accessed on organizational systems from external systems and the highest security category of information that can be processed, stored, or transmitted on external systems. If the terms and conditions with the owners of the external systems cannot be established, organizations may impose restrictions on organizational personnel using those external systems.

 @@ -9973,18 +9421,16 @@ -

- is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);

+

is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to access the system from external systems (if applicable);

 -

- is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);

+

is/are consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to process, store, or transmit organization-controlled information using external systems (if applicable);

 -

the use of is prohibited (if applicable).

+

the use of is prohibited (if applicable).

 @@ -10022,9 +9468,7 @@ - + @@ -10086,28 +9530,26 @@ - -

restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;

- + +

restrictions on the use of organization-controlled portable storage devices by authorized individuals on external systems are defined;

+ - + -

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

+

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using .

Limits on the use of organization-controlled portable storage devices in external systems include restrictions on how the devices may be used and under what conditions the devices may be used.

 -

the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using .

+

the use of organization-controlled portable storage devices by authorized individuals is restricted on external systems using .

 @@ -10145,26 +9587,24 @@ - -

restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;

- + +

restrictions on the use of non-organizationally owned systems or system components to process, store, or transmit organizational information are defined;

+ - + -

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using .

+

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using .

 -

Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see AC-20 b. ). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.

+

Non-organizationally owned systems or system components include systems or system components owned by other organizations as well as personally owned devices. There are potential risks to using non-organizationally owned systems or components. In some cases, the risk is sufficiently high as to prohibit such use (see AC-20 b. ). In other cases, the use of such systems or system components may be allowed but restricted in some way. Restrictions include requiring the implementation of approved controls prior to authorizing the connection of non-organizationally owned systems and components; limiting access to types of information, services, or applications; using virtualization techniques to limit processing and storage activities to servers or system components provisioned by the organization; and agreeing to the terms and conditions for usage. Organizations consult with the Office of the General Counsel regarding legal issues associated with using personally owned devices, including requirements for conducting forensic analyses during investigations after an incident.

 -

the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using .

+

the use of non-organizationally owned systems or system components to process, store, or transmit organizational information is restricted using .

 @@ -10200,31 +9640,27 @@ Network Accessible Storage Devices — Prohibited Use - + - -

network-accessible storage devices prohibited from use in external systems are defined;

- + +

network-accessible storage devices prohibited from use in external systems are defined;

+ - + -

Prohibit the use of in external systems.

+

Prohibit the use of in external systems.

Network-accessible storage devices in external systems include online storage devices in public, hybrid, or community cloud-based systems.

 -

the use of is prohibited in external systems.

+

the use of is prohibited in external systems.

 @@ -10263,9 +9699,7 @@ - + @@ -10310,32 +9744,26 @@ Information Sharing - + - -

information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;

- + +

information-sharing circumstances where user discretion is required to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions are defined;

+ - + - -

automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;

- + +

automated mechanisms or manual processes that assist users in making information-sharing and collaboration decisions are defined;

+ - + @@ -10349,11 +9777,11 @@ -

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; and

+

Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ; and

 -

Employ to assist users in making information sharing and collaboration decisions.

+

Employ to assist users in making information sharing and collaboration decisions.

 @@ -10363,12 +9791,11 @@ -

authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ;

+

authorized users are enabled to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for ;

 -

- are employed to assist users in making information-sharing and collaboration decisions.

+

are employed to assist users in making information-sharing and collaboration decisions.

 @@ -10413,27 +9840,24 @@ - -

automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;

- + +

automated mechanisms employed to enforce information-sharing decisions by authorized users are defined;

+ - + -

Employ to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

+

Employ to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

Automated mechanisms are used to enforce information sharing decisions.

 -

- are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

+

are employed to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

 @@ -10471,31 +9895,27 @@ Information Search and Retrieval - + - -

information-sharing restrictions to be enforced by information search and retrieval services are defined;

- + +

information-sharing restrictions to be enforced by information search and retrieval services are defined;

+ - + -

Implement information search and retrieval services that enforce .

+

Implement information search and retrieval services that enforce .

Information search and retrieval services identify information system resources relevant to an information need.

 -

information search and retrieval services that enforce are implemented.

+

information search and retrieval services that enforce are implemented.

 @@ -10537,16 +9957,14 @@ - -

the frequency at which to review the content on the publicly accessible system for non-public information is defined;

- + +

the frequency at which to review the content on the publicly accessible system for non-public information is defined;

+ - + @@ -10567,11 +9985,11 @@ -

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

+

Review the content on the publicly accessible system for nonpublic information and remove such information, if discovered.

 -

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

+

In accordance with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines, the public is not authorized to have access to nonpublic information, including information protected under the PRIVACT and proprietary information. Publicly accessible content addresses systems that are controlled by the organization and accessible to the public, typically without identification or authentication. Posting information on non-organizational systems (e.g., non-organizational public websites, forums, and social media) is covered by organizational policy. While organizations may have individuals who are responsible for developing and implementing policies about the information that can be made publicly accessible, publicly accessible content addresses the management of the individuals who make such information publicly accessible.

 @@ -10591,7 +10009,7 @@ -

the content on the publicly accessible system is reviewed for non-public information ;

+

the content on the publicly accessible system is reviewed for non-public information ;

 @@ -10635,45 +10053,39 @@ Data Mining Protection - + - -

data mining prevention and detection techniques are defined;

- + +

data mining prevention and detection techniques are defined;

+ - -

data storage objects to be protected against unauthorized data mining are defined;

- + +

data storage objects to be protected against unauthorized data mining are defined;

+ - + -

Employ for to detect and protect against unauthorized data mining.

+

Employ for to detect and protect against unauthorized data mining.

Data mining is an analytical process that attempts to find correlations or patterns in large data sets for the purpose of data or knowledge discovery. Data storage objects include database records and database fields. Sensitive information can be extracted from data mining operations. When information is personally identifiable information, it may lead to unanticipated revelations about individuals and give rise to privacy risks. Prior to performing data mining activities, organizations determine whether such activities are authorized. Organizations may be subject to applicable laws, executive orders, directives, regulations, or policies that address data mining requirements. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

-

Data mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites.

-

- EO 13587 requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration.

+

Data mining prevention and detection techniques include limiting the number and frequency of database queries to increase the work factor needed to determine the contents of databases, limiting types of responses provided to database queries, applying differential privacy techniques or homomorphic encryption, and notifying personnel when atypical database queries or accesses occur. Data mining protection focuses on protecting information from data mining while such information resides in organizational data stores. In contrast, AU-13 focuses on monitoring for organizational information that may have been mined or otherwise obtained from data stores and is available as open-source information residing on external sites, such as social networking or social media websites.

+

EO 13587 requires the establishment of an insider threat program for deterring, detecting, and mitigating insider threats, including the safeguarding of sensitive information from exploitation, compromise, or other unauthorized disclosure. Data mining protection requires organizations to identify appropriate techniques to prevent and detect unnecessary or unauthorized data mining. Data mining can be used by an insider to collect organizational information for the purpose of exfiltration.

 -

- are employed for to detect and protect against unauthorized data mining.

+

are employed for to detect and protect against unauthorized data mining.

 @@ -10727,31 +10139,27 @@ - -

access control decisions applied to each access request prior to access enforcement are defined;

- + +

access control decisions applied to each access request prior to access enforcement are defined;

+ - + -

- to ensure are applied to each access request prior to access enforcement.

+

to ensure are applied to each access request prior to access enforcement.

Access control decisions (also known as authorization decisions) occur when authorization information is applied to specific accesses. In contrast, access enforcement occurs when systems enforce access control decisions. While it is common to have access control decisions and access enforcement implemented by the same entity, it is not required, and it is not always an optimal implementation choice. For some architectures and distributed systems, different entities may make access control decisions and enforce access.

 -

- are taken to ensure that are applied to each access request prior to access enforcement.

+

are taken to ensure that are applied to each access request prior to access enforcement.

 @@ -10787,44 +10195,41 @@ - -

access authorization information transmitted to systems that enforce access control decisions is defined;

- + +

access authorization information transmitted to systems that enforce access control decisions is defined;

+ - -

controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined;

- + +

controls to be used when authorization information is transmitted to systems that enforce access control decisions are defined;

+ - -

systems that enforce access control decisions are defined;

- + +

systems that enforce access control decisions are defined;

+ - + -

Transmit using to that enforce access control decisions.

+

Transmit using to that enforce access control decisions.

Authorization processes and access control decisions may occur in separate parts of systems or in separate systems. In such instances, authorization information is transmitted securely (e.g., using cryptographic mechanisms) so that timely access control decisions can be enforced at the appropriate locations. To support the access control decisions, it may be necessary to transmit as part of the access authorization information supporting security and privacy attributes. This is because in distributed systems, there are various access control decisions that need to be made, and different entities make these decisions in a serial fashion, each requiring those attributes to make the decisions. Protecting access authorization information ensures that such information cannot be altered, spoofed, or compromised during transmission.

 -

- is transmitted using to that enforce access control decisions.

+

is transmitted using to that enforce access control decisions.

 @@ -10860,37 +10265,31 @@ No User or Process Identity - - + + - -

security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);

- + +

security attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);

+ - -

privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);

- + +

privacy attributes that do not include the identity of the user or process acting on behalf of the user are defined (if selected);

+ - + -

Enforce access control decisions based on that do not include the identity of the user or process acting on behalf of the user.

+

Enforce access control decisions based on that do not include the identity of the user or process acting on behalf of the user.

In certain situations, it is important that access control decisions can be made without information regarding the identity of the users issuing the requests. These are generally instances where preserving individual privacy is of paramount importance. In other situations, user identification information is simply not needed for access control decisions, and especially in the case of distributed systems, transmitting such information with the needed degree of assurance may be very expensive or difficult to accomplish. MAC, RBAC, ABAC, and label-based control policies, for example, might not include user identity as an attribute.

@@ -10899,11 +10298,11 @@ -

access control decisions are enforced based on that do not include the identity of the user or process acting on behalf of the user (if selected);

+

access control decisions are enforced based on that do not include the identity of the user or process acting on behalf of the user (if selected);

 -

access control decisions are enforced based on that do not include the identity of the user or process acting on behalf of the user (if selected).

+

access control decisions are enforced based on that do not include the identity of the user or process acting on behalf of the user (if selected).

 @@ -10945,19 +10344,15 @@ - -

access control policies for which a reference monitor is implemented are defined;

- + +

access control policies for which a reference monitor is implemented are defined;

+ - - + + @@ -10967,14 +10362,14 @@ -

Implement a reference monitor for that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

+

Implement a reference monitor for that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

A reference monitor is a set of design requirements on a reference validation mechanism that, as a key component of an operating system, enforces an access control policy over all subjects and objects. A reference validation mechanism is always invoked, tamper-proof, and small enough to be subject to analysis and tests, the completeness of which can be assured (i.e., verifiable). Information is represented internally within systems using abstractions known as data structures. Internal data structures can represent different types of entities, both active and passive. Active entities, also known as subjects, are associated with individuals, devices, or processes acting on behalf of individuals. Passive entities, also known as objects, are associated with data structures, such as records, buffers, communications ports, tables, files, and inter-process pipes. Reference monitors enforce access control policies that restrict access to objects based on the identity of subjects or groups to which the subjects belong. The system enforces the access control policy based on the rule set established by the policy. The tamper-proof property of the reference monitor prevents determined adversaries from compromising the functioning of the reference validation mechanism. The always invoked property prevents adversaries from bypassing the mechanism and violating the security policy. The smallness property helps to ensure completeness in the analysis and testing of the mechanism to detect any weaknesses or deficiencies (i.e., latent flaws) that would prevent the enforcement of the security policy.

 -

a reference monitor is implemented for that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

+

a reference monitor is implemented for that is tamper-proof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

 @@ -11013,27 +10408,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the awareness and training policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the awareness and training procedures are to be disseminated is/are defined;

+ @@ -11048,51 +10439,47 @@ - -

an official to manage the awareness and training policy and procedures is defined;

- + +

an official to manage the awareness and training policy and procedures is defined;

+ - -

the frequency at which the current awareness and training policy is reviewed and updated is defined;

- + +

the frequency at which the current awareness and training policy is reviewed and updated is defined;

+ - -

events that would require the current awareness and training policy to be reviewed and updated are defined;

- + +

events that would require the current awareness and training policy to be reviewed and updated are defined;

+ - -

the frequency at which the current awareness and training procedures are reviewed and updated is defined;

- + +

the frequency at which the current awareness and training procedures are reviewed and updated is defined;

+ - -

events that would require procedures to be reviewed and updated are defined;

- + +

events that would require procedures to be reviewed and updated are defined;

+ - - + + @@ -11105,11 +10492,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- awareness and training policy that:

+

awareness and training policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -11126,18 +10512,18 @@ -

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and

Review and update the current awareness and training:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -11154,7 +10540,7 @@ -

the awareness and training policy is disseminated to ;

+

the awareness and training policy is disseminated to ;

 @@ -11162,7 +10548,7 @@ -

the awareness and training procedures are disseminated to .

+

the awareness and training procedures are disseminated to .

 @@ -11170,42 +10556,42 @@ -

the awareness and training policy addresses purpose;

+

the awareness and training policy addresses purpose;

 -

the awareness and training policy addresses scope;

+

the awareness and training policy addresses scope;

 -

the awareness and training policy addresses roles;

+

the awareness and training policy addresses roles;

 -

the awareness and training policy addresses responsibilities;

+

the awareness and training policy addresses responsibilities;

 -

the awareness and training policy addresses management commitment;

+

the awareness and training policy addresses management commitment;

 -

the awareness and training policy addresses coordination among organizational entities;

+

the awareness and training policy addresses coordination among organizational entities;

 -

the awareness and training policy addresses compliance; and

+

the awareness and training policy addresses compliance; and

 -

the awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and

+

the awareness and training policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines; and

 -

the is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the awareness and training policy and procedures;

 @@ -11213,22 +10599,22 @@ -

the current awareness and training policy is reviewed and updated ;

+

the current awareness and training policy is reviewed and updated ;

-

the current awareness and training policy is reviewed and updated following ;

+

the current awareness and training policy is reviewed and updated following ;

 -

the current awareness and training procedures are reviewed and updated ;

+

the current awareness and training procedures are reviewed and updated ;

 -

the current awareness and training procedures are reviewed and updated following .

+

the current awareness and training procedures are reviewed and updated following .

 @@ -11255,84 +10641,72 @@ Literacy Training and Awareness - - + + - - + + - -

the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

- + +

the frequency at which to provide security literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+ - -

the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

- + +

the frequency at which to provide privacy literacy training to system users (including managers, senior executives, and contractors) after initial training is defined;

+ - -

events that require security literacy training for system users are defined;

- + +

events that require security literacy training for system users are defined;

+ - -

events that require privacy literacy training for system users are defined;

- + +

events that require privacy literacy training for system users are defined;

+ - -

techniques to be employed to increase the security and privacy awareness of system users are defined;

- + +

techniques to be employed to increase the security and privacy awareness of system users are defined;

+ - -

the frequency at which to update literacy training and awareness content is defined;

- + +

the frequency at which to update literacy training and awareness content is defined;

+ - -

events that would require literacy training and awareness content to be updated are defined;

- + +

events that would require literacy training and awareness content to be updated are defined;

+ - - + + @@ -11361,20 +10735,20 @@

Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):

-

As part of initial training for new users and thereafter; and

+

As part of initial training for new users and thereafter; and

 -

When required by system changes or following ;

+

When required by system changes or following ;

 -

Employ the following techniques to increase the security and privacy awareness of system users ;

+

Employ the following techniques to increase the security and privacy awareness of system users ;

 -

Update literacy training and awareness content and following ; and

+

Update literacy training and awareness content and following ; and

 @@ -11383,7 +10757,7 @@

Organizations provide basic and advanced levels of literacy training to system users, including measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments (e.g., telework). The content includes an understanding of the need for security and privacy as well as actions by users to maintain security and personal privacy and to respond to suspected incidents. The content addresses the need for operations security and the handling of personally identifiable information.

-

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+

Awareness techniques include displaying posters, offering supplies inscribed with security and privacy reminders, displaying logon screen messages, generating email advisories or notices from organizational officials, and conducting awareness events. Literacy training after the initial training described in AT-2a.1 is conducted at a minimum frequency consistent with applicable laws, directives, regulations, and policies. Subsequent literacy training may be satisfied by one or more short ad hoc sessions and include topical information on recent attack schemes, changes to organizational security and privacy policies, revised security and privacy expectations, or a subset of topics from the initial training. Updating literacy training and awareness content on a regular basis helps to ensure that the content remains relevant. Events that may precipitate an update to literacy training and awareness content include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

 @@ -11401,39 +10775,38 @@ -

security literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+

security literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

 -

privacy literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

+

privacy literacy training is provided to system users (including managers, senior executives, and contractors) thereafter;

 -

security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+

security literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

 -

privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

+

privacy literacy training is provided to system users (including managers, senior executives, and contractors) when required by system changes or following ;

 -

- are employed to increase the security and privacy awareness of system users;

+

are employed to increase the security and privacy awareness of system users;

 -

literacy training and awareness content is updated ;

+

literacy training and awareness content is updated ;

 -

literacy training and awareness content is updated following ;

+

literacy training and awareness content is updated following ;

 @@ -11477,12 +10850,8 @@ - - + + @@ -11533,12 +10902,8 @@ - - + + @@ -11586,12 +10951,8 @@ - - + +

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

@@ -11647,29 +11008,25 @@ - -

indicators of malicious code are defined;

- + +

indicators of malicious code are defined;

+ - - + + -

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using .

+

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using .

A well-trained workforce provides another organizational control that can be employed as part of a defense-in-depth strategy to protect against malicious code coming into organizations via email or the web applications. Personnel are trained to look for indications of potentially suspicious email (e.g., receiving an unexpected email, receiving an email containing strange or poor grammar, or receiving an email from an unfamiliar sender that appears to be from a known sponsor or contractor). Personnel are also trained on how to respond to suspicious email or web communications. For this process to work effectively, personnel are trained and made aware of what constitutes suspicious communications. Training personnel on how to recognize anomalous behaviors in systems can provide organizations with early warning for the presence of malicious code. Recognition of anomalous behavior by organizational personnel can supplement malicious code detection and protection tools and systems employed by organizations.

 -

literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using is provided.

+

literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using is provided.

 @@ -11699,12 +11056,8 @@ - - + +

Provide literacy training on the advanced persistent threat.

@@ -11744,12 +11097,8 @@ - - + + @@ -11803,61 +11152,53 @@ Role-based Training - - + + - -

roles and responsibilities for role-based security training are defined;

- + +

roles and responsibilities for role-based security training are defined;

+ - -

roles and responsibilities for role-based privacy training are defined;

- + +

roles and responsibilities for role-based privacy training are defined;

+ - -

the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;

- + +

the frequency at which to provide role-based security and privacy training to assigned personnel after initial training is defined;

+ - -

the frequency at which to update role-based training content is defined;

- + +

the frequency at which to update role-based training content is defined;

+ - -

events that require role-based training content to be updated are defined;

- + +

events that require role-based training content to be updated are defined;

+ - - + + @@ -11886,10 +11227,10 @@ -

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

+

Provide role-based security and privacy training to personnel with the following roles and responsibilities: :

-

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

+

Before authorizing access to the system, information, or performing assigned duties, and thereafter; and

 @@ -11898,7 +11239,7 @@ -

Update role-based training content and following ; and

+

Update role-based training content and following ; and

 @@ -11917,21 +11258,19 @@ -

role-based security training is provided to before authorizing access to the system, information, or performing assigned duties;

+

role-based security training is provided to before authorizing access to the system, information, or performing assigned duties;

 -

role-based privacy training is provided to before authorizing access to the system, information, or performing assigned duties;

+

role-based privacy training is provided to before authorizing access to the system, information, or performing assigned duties;

 -

role-based security training is provided to - thereafter;

+

role-based security training is provided to thereafter;

 -

role-based privacy training is provided to - thereafter;

+

role-based privacy training is provided to thereafter;

 @@ -11950,11 +11289,11 @@ -

role-based training content is updated ;

+

role-based training content is updated ;

 -

role-based training content is updated following ;

+

role-based training content is updated following ;

 @@ -11998,27 +11337,23 @@ - -

personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined;

- + +

personnel or roles to be provided with initial and refresher training in the employment and operation of environmental controls are defined;

+ - -

the frequency at which to provide refresher training in the employment and operation of environmental controls is defined;

- + +

the frequency at which to provide refresher training in the employment and operation of environmental controls is defined;

+ - - + + @@ -12026,15 +11361,14 @@ -

Provide with initial and training in the employment and operation of environmental controls.

+

Provide with initial and training in the employment and operation of environmental controls.

Environmental controls include fire suppression and detection devices or systems, sprinkler systems, handheld fire extinguishers, fixed fire hoses, smoke detectors, temperature or humidity, heating, ventilation, air conditioning, and power within the facility.

 -

- are provided with initial and refresher training in the employment and operation of environmental controls.

+

are provided with initial and refresher training in the employment and operation of environmental controls.

 @@ -12065,41 +11399,36 @@ - -

personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is/are defined;

- + +

personnel or roles to be provided with initial and refresher training in the employment and operation of physical security controls is/are defined;

+ - -

the frequency at which to provide refresher training in the employment and operation of physical security controls is defined;

- + +

the frequency at which to provide refresher training in the employment and operation of physical security controls is defined;

+ - - + + -

Provide with initial and training in the employment and operation of physical security controls.

+

Provide with initial and training in the employment and operation of physical security controls.

Physical security controls include physical access control devices, physical intrusion and detection alarms, operating procedures for facility security guards, and monitoring or surveillance equipment.

 -

- is/are provided with initial and refresher training in the employment and operation of physical security controls.

+

is/are provided with initial and refresher training in the employment and operation of physical security controls.

 @@ -12129,12 +11458,8 @@ - - + +

Provide practical exercises in security and privacy training that reinforce training objectives.

@@ -12190,42 +11515,37 @@ - -

personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is/are defined;

- + +

personnel or roles to be provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls is/are defined;

+ - -

the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;

- + +

the frequency at which to provide refresher training in the employment and operation of personally identifiable information processing and transparency controls is defined;

+ - - + + -

Provide with initial and training in the employment and operation of personally identifiable information processing and transparency controls.

+

Provide with initial and training in the employment and operation of personally identifiable information processing and transparency controls.

 -

Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, PRIVACT statements, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.

+

Personally identifiable information processing and transparency controls include the organization’s authority to process personally identifiable information and personally identifiable information processing purposes. Role-based training for federal agencies addresses the types of information that may constitute personally identifiable information and the risks, considerations, and obligations associated with its processing. Such training also considers the authority to process personally identifiable information documented in privacy policies and notices, system of records notices, computer matching agreements and notices, privacy impact assessments, PRIVACT statements, contracts, information sharing agreements, memoranda of understanding, and/or other documentation.

 -

- are provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls.

+

are provided with initial and refresher training in the employment and operation of personally identifiable information processing and transparency controls.

 @@ -12263,19 +11583,15 @@ - -

time period for retaining individual training records is defined;

- + +

time period for retaining individual training records is defined;

+ - - + + @@ -12290,7 +11606,7 @@ -

Retain individual training records for .

+

Retain individual training records for .

 @@ -12311,7 +11627,7 @@ -

individual training records are retained for .

+

individual training records are retained for .

 @@ -12355,36 +11671,32 @@ - -

frequency at which to provide feedback on organizational training results is defined;

- + +

frequency at which to provide feedback on organizational training results is defined;

+ - -

personnel to whom feedback on organizational training results will be provided is/are assigned;

- + +

personnel to whom feedback on organizational training results will be provided is/are assigned;

+ - - + + -

Provide feedback on organizational training results to the following personnel : .

+

Provide feedback on organizational training results to the following personnel : .

 -

Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.

+

Training feedback includes awareness training results and role-based training results. Training results, especially failures of personnel in critical roles, can be indicative of a potentially serious problem. Therefore, it is important that senior managers are made aware of such situations so that they can take appropriate response actions. Training feedback supports the evaluation and update of organizational training described in AT-2b and AT-3b.

 -

feedback on organizational training results is provided to .

+

feedback on organizational training results is provided to .

 @@ -12418,27 +11730,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the audit and accountability policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the audit and accountability procedures are to be disseminated is/are defined;

+ @@ -12453,51 +11761,47 @@ - -

an official to manage the audit and accountability policy and procedures is defined;

- + +

an official to manage the audit and accountability policy and procedures is defined;

+ - -

the frequency at which the current audit and accountability policy is reviewed and updated is defined;

- + +

the frequency at which the current audit and accountability policy is reviewed and updated is defined;

+ - -

events that would require the current audit and accountability policy to be reviewed and updated are defined;

- + +

events that would require the current audit and accountability policy to be reviewed and updated are defined;

+ - -

the frequency at which the current audit and accountability procedures are reviewed and updated is defined;

- + +

the frequency at which the current audit and accountability procedures are reviewed and updated is defined;

+ - -

events that would require audit and accountability procedures to be reviewed and updated are defined;

- + +

events that would require audit and accountability procedures to be reviewed and updated are defined;

+ - - + + @@ -12508,11 +11812,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- audit and accountability policy that:

+

audit and accountability policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -12529,18 +11832,18 @@ -

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and

Review and update the current audit and accountability:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -12557,7 +11860,7 @@ -

the audit and accountability policy is disseminated to ;

+

the audit and accountability policy is disseminated to ;

 @@ -12565,7 +11868,7 @@ -

the audit and accountability procedures are disseminated to ;

+

the audit and accountability procedures are disseminated to ;

 @@ -12573,42 +11876,42 @@ -

the of the audit and accountability policy addresses purpose;

+

the of the audit and accountability policy addresses purpose;

 -

the of the audit and accountability policy addresses scope;

+

the of the audit and accountability policy addresses scope;

 -

the of the audit and accountability policy addresses roles;

+

the of the audit and accountability policy addresses roles;

 -

the of the audit and accountability policy addresses responsibilities;

+

the of the audit and accountability policy addresses responsibilities;

 -

the of the audit and accountability policy addresses management commitment;

+

the of the audit and accountability policy addresses management commitment;

 -

the of the audit and accountability policy addresses coordination among organizational entities;

+

the of the audit and accountability policy addresses coordination among organizational entities;

 -

the of the audit and accountability policy addresses compliance;

+

the of the audit and accountability policy addresses compliance;

 -

the of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+

the of the audit and accountability policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the audit and accountability policy and procedures;

 @@ -12616,22 +11919,22 @@ -

the current audit and accountability policy is reviewed and updated ;

+

the current audit and accountability policy is reviewed and updated ;

 -

the current audit and accountability policy is reviewed and updated following ;

+

the current audit and accountability policy is reviewed and updated following ;

 -

the current audit and accountability procedures are reviewed and updated ;

+

the current audit and accountability procedures are reviewed and updated ;

 -

the current audit and accountability procedures are reviewed and updated following .

+

the current audit and accountability procedures are reviewed and updated following .

 @@ -12658,53 +11961,45 @@ Event Logging - - + + - + - -

the event types that the system is capable of logging in support of the audit function are defined;

- + +

the event types that the system is capable of logging in support of the audit function are defined;

+ - -

the event types (subset of AU-02_ODP[01]) for logging within the system are defined;

- + +

the event types (subset of AU-02_ODP[01]) for logging within the system are defined;

+ - -

the frequency or situation requiring logging for each specified event type is defined;

- + +

the frequency or situation requiring logging for each specified event type is defined;

+ - -

the frequency of event types selected for logging are reviewed and updated;

- + +

the frequency of event types selected for logging are reviewed and updated;

+ - + @@ -12744,7 +12039,7 @@ -

Identify the types of events that the system is capable of logging in support of the audit function: ;

+

Identify the types of events that the system is capable of logging in support of the audit function: ;

 @@ -12752,7 +12047,7 @@ -

Specify the following event types for logging within the system: ;

+

Specify the following event types for logging within the system: ;

 @@ -12760,20 +12055,19 @@ -

Review and update the event types selected for logging .

+

Review and update the event types selected for logging .

An event is an observable occurrence in a system. The types of events that require logging are those events that are significant and relevant to the security of systems and the privacy of individuals. Event logging also supports specific monitoring and auditing needs. Event types include password changes, failed logons or failed accesses related to systems, security or privacy attribute changes, administrative privilege usage, PIV credential usage, data action changes, query parameters, or external credential usage. In determining the set of event types that require logging, organizations consider the monitoring and auditing appropriate for each of the controls to be implemented. For completeness, event logging includes all protocols that are operational and supported by the system.

To balance monitoring and auditing requirements with other system needs, event logging requires identifying the subset of event types that are logged at a given point in time. For example, organizations may determine that systems need the capability to log every file access successful and unsuccessful, but not activate that capability except for specific circumstances due to the potential burden on system performance. The types of events that organizations desire to be logged may change. Reviewing and updating the set of logged events is necessary to help ensure that the events remain relevant and continue to support the needs of the organization. Organizations consider how the types of logging events can reveal information about individuals that may give rise to privacy risk and how best to mitigate such risks. For example, there is the potential to reveal personally identifiable information in the audit trail, especially if the logging event is based on patterns or time of usage.

-

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

+

Event logging requirements, including the need to log specific event types, may be referenced in other controls and control enhancements. These include AC-2(4), AC-3(10), AC-6(9), AC-17(1), CM-3f, CM-5(1), IA-3(3)(b), MA-4(1), MP-4(2), PE-3, PM-21, PT-7, RA-8, SC-7(9), SC-7(15), SI-3(8), SI-4(22), SI-7(8) , and SI-10(1) . Organizations include event types that are required by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. Audit records can be generated at various levels, including at the packet level as information traverses the network. Selecting the appropriate level of event logging is an important part of a monitoring and auditing capability and can identify the root causes of problems. When defining event types, organizations consider the logging necessary to cover related event types, such as the steps in distributed, transaction-based processes and the actions that occur in service-oriented architectures.

 -

- that the system is capable of logging are identified in support of the audit logging function;

+

that the system is capable of logging are identified in support of the audit logging function;

 @@ -12783,12 +12077,11 @@ -

- are specified for logging within the system;

+

are specified for logging within the system;

 -

the specified event types are logged within the system ;

+

the specified event types are logged within the system ;

 @@ -12797,7 +12090,7 @@ -

the event types selected for logging are reviewed and updated .

+

the event types selected for logging are reviewed and updated .

 @@ -12869,9 +12162,7 @@ - + @@ -12978,26 +12269,24 @@ - -

additional information to be included in audit records is defined;

- + +

additional information to be included in audit records is defined;

+ - + -

Generate audit records containing the following additional information: .

+

Generate audit records containing the following additional information: .

The ability to add information generated in audit records is dependent on system functionality to configure the audit record content. Organizations may consider additional information in audit records including, but not limited to, access control or flow control rules invoked and individual identities of group account users. Organizations may also consider limiting additional audit record information to only information that is explicitly needed for audit requirements. This facilitates the use of audit trails and audit logs by not including information in audit records that could potentially be misleading, make it more difficult to locate information of interest, or increase the risk to individuals' privacy.

 -

generated audit records contain the following .

+

generated audit records contain the following .

 @@ -13046,27 +12335,25 @@ - -

elements identified in the privacy risk assessment are defined;

- + +

elements identified in the privacy risk assessment are defined;

+ - + -

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: .

+

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: .

Limiting personally identifiable information in audit records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.

 -

personally identifiable information contained in audit records is limited to identified in the privacy risk assessment.

+

personally identifiable information contained in audit records is limited to identified in the privacy risk assessment.

 @@ -13111,19 +12398,15 @@ - -

audit log retention requirements are defined;

- + +

audit log retention requirements are defined;

+ - - + + @@ -13134,14 +12417,14 @@ -

Allocate audit log storage capacity to accommodate .

+

Allocate audit log storage capacity to accommodate .

Organizations consider the types of audit logging to be performed and the audit log processing requirements when allocating audit log storage capacity. Allocating sufficient audit log storage capacity reduces the likelihood of such capacity being exceeded and resulting in the potential loss or reduction of audit logging capability.

 -

audit log storage capacity is allocated to accommodate .

+

audit log storage capacity is allocated to accommodate .

 @@ -13182,29 +12465,25 @@ - -

the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined;

- + +

the frequency of audit logs transferred to a different system, system component, or media other than the system or system component conducting the logging is defined;

+ - - + + -

Transfer audit logs to a different system, system component, or media other than the system or system component conducting the logging.

+

Transfer audit logs to a different system, system component, or media other than the system or system component conducting the logging.

 -

Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to AU-9(2) in that audit logs are transferred to a different entity. However, the purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.

+

Audit log transfer, also known as off-loading, is a common process in systems with limited audit log storage capacity and thus supports availability of the audit logs. The initial audit log storage is only used in a transitory fashion until the system can communicate with the secondary or alternate system allocated to audit log storage, at which point the audit logs are transferred. Transferring audit logs to alternate storage is similar to AU-9(2) in that audit logs are transferred to a different entity. However, the purpose of selecting AU-9(2) is to protect the confidentiality and integrity of audit records. Organizations can select either control enhancement to obtain the benefit of increased audit log storage capacity and preserving the confidentiality, integrity, and availability of audit records and logs.

 -

audit logs are transferred to a different system, system component, or media other than the system or system component conducting the logging.

+

audit logs are transferred to a different system, system component, or media other than the system or system component conducting the logging.

 @@ -13246,32 +12525,30 @@ - -

personnel or roles receiving audit logging process failure alerts are defined;

- + +

personnel or roles receiving audit logging process failure alerts are defined;

+ - -

time period for personnel or roles receiving audit logging process failure alerts is defined;

- + +

time period for personnel or roles receiving audit logging process failure alerts is defined;

+ - -

additional actions to be taken in the event of an audit logging process failure are defined;

- + +

additional actions to be taken in the event of an audit logging process failure are defined;

+ - + @@ -13284,11 +12561,11 @@ -

Alert within in the event of an audit logging process failure; and

+

Alert within in the event of an audit logging process failure; and

 -

Take the following additional actions: .

+

Take the following additional actions: .

 @@ -13298,13 +12575,11 @@ -

- are alerted in the event of an audit logging process failure within ;

+

are alerted in the event of an audit logging process failure within ;

 -

- are taken in the event of an audit logging process failure.

+

are taken in the event of an audit logging process failure.

 @@ -13345,42 +12620,40 @@ - -

personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity.

- + +

personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity.

+ - -

time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;

- + +

time period for defined personnel, roles, and/or locations to be warned when allocated audit log storage volume reaches a percentage of repository maximum audit log storage capacity is defined;

+ - -

percentage of repository maximum audit log storage capacity is defined;

- + +

percentage of repository maximum audit log storage capacity is defined;

+ - + -

Provide a warning to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

+

Provide a warning to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

Organizations may have multiple audit log storage repositories distributed across multiple system components with each repository having different storage volume capacities.

 -

a warning is provided to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

+

a warning is provided to within when allocated audit log storage volume reaches of repository maximum audit log storage capacity.

 @@ -13419,42 +12692,40 @@ - -

real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;

- + +

real-time period requiring alerts when audit failure events (defined in AU-05(02)_ODP[03]) occur is defined;

+ - -

personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;

- + +

personnel, roles, and/or locations to be alerted in real time when audit failure events (defined in AU-05(02)_ODP[03]) occur is/are defined;

+ - -

audit logging failure events requiring real-time alerts are defined;

- + +

audit logging failure events requiring real-time alerts are defined;

+ - + -

Provide an alert within to when the following audit failure events occur: .

+

Provide an alert within to when the following audit failure events occur: .

Alerts provide organizations with urgent messages. Real-time alerts provide these messages at information technology speed (i.e., the time from event detection to alert occurs in seconds or less).

 -

an alert is provided within to when occur.

+

an alert is provided within to when occur.

 @@ -13494,12 +12765,10 @@ - + -

Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and network traffic above those thresholds.

+

Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and network traffic above those thresholds.

Organizations have the capability to reject or delay the processing of network communications traffic if audit logging information about such traffic is determined to exceed the storage capacity of the system audit logging function. The rejection or delay response is triggered by the established organizational traffic volume thresholds that can be adjusted based on changes to audit log storage capacity.

@@ -13512,7 +12781,7 @@ -

network traffic is if network traffic volume is above configured thresholds.

+

network traffic is if network traffic volume is above configured thresholds.

 @@ -13555,28 +12824,25 @@ - -

audit logging failures that trigger a change in operational mode are defined;

- + +

audit logging failures that trigger a change in operational mode are defined;

+ - + -

Invoke a in the event of , unless an alternate audit logging capability exists.

+

Invoke a in the event of , unless an alternate audit logging capability exists.

Organizations determine the types of audit logging failures that can trigger automatic system shutdowns or degraded operations. Because of the importance of ensuring mission and business continuity, organizations may determine that the nature of the audit logging failure is not so severe that it warrants a complete shutdown of the system supporting the core organizational mission and business functions. In those instances, partial system shutdowns or operating in a degraded mode with reduced capability may be viable alternatives.

 -

- is/are invoked in the event of , unless an alternate audit logging capability exists.

+

is/are invoked in the event of , unless an alternate audit logging capability exists.

 @@ -13616,27 +12882,25 @@ - -

an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;

- + +

an alternate audit logging functionality in the event of a failure in primary audit logging capability is defined;

+ - + -

Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements .

+

Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements .

Since an alternate audit logging capability may be a short-term protection solution employed until the failure in the primary audit logging capability is corrected, organizations may determine that the alternate audit logging capability need only provide a subset of the primary audit logging functionality that is impacted by the failure.

 -

an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements .

+

an alternate audit logging capability is provided in the event of a failure in primary audit logging capability that implements .

 @@ -13677,35 +12941,31 @@ - -

frequency at which system audit records are reviewed and analyzed is defined;

- + +

frequency at which system audit records are reviewed and analyzed is defined;

+ - -

inappropriate or unusual activity is defined;

- + +

inappropriate or unusual activity is defined;

+ - -

personnel or roles to receive findings from reviews and analyses of system records is/are defined;

- + +

personnel or roles to receive findings from reviews and analyses of system records is/are defined;

+ - - + + @@ -13741,11 +13001,11 @@ -

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity;

+

Review and analyze system audit records for indications of and the potential impact of the inappropriate or unusual activity;

 -

Report findings to ; and

+

Report findings to ; and

 @@ -13759,11 +13019,11 @@ -

system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity;

+

system audit records are reviewed and analyzed for indications of and the potential impact of the inappropriate or unusual activity;

 -

findings are reported to ;

+

findings are reported to ;

 @@ -13797,30 +13057,26 @@ - -

automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;

- + +

automated mechanisms used for integrating audit record review, analysis, and reporting processes are defined;

+ - - + + -

Integrate audit record review, analysis, and reporting processes using .

+

Integrate audit record review, analysis, and reporting processes using .

Organizational processes that benefit from integrated audit record review, analysis, and reporting include incident response, continuous monitoring, contingency planning, investigation and response to suspicious activities, and Inspector General audits.

 -

audit record review, analysis, and reporting processes are integrated using .

+

audit record review, analysis, and reporting processes are integrated using .

 @@ -13866,12 +13122,8 @@ - - + + @@ -13920,12 +13172,8 @@ - - + + @@ -13986,40 +13234,34 @@ vulnerability scanning information performance data system monitoring information - - - + - -

data/information collected from other sources to be analyzed is defined (if selected);

- + +

data/information collected from other sources to be analyzed is defined (if selected);

+ - - + + -

Integrate analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

+

Integrate analysis of audit records with analysis of to further enhance the ability to identify inappropriate or unusual activity.

Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.

 -

analysis of audit records is integrated with analysis of to further enhance the ability to identify inappropriate or unusual activity.

+

analysis of audit records is integrated with analysis of to further enhance the ability to identify inappropriate or unusual activity.

 @@ -14056,12 +13298,8 @@ - - + +

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

@@ -14119,22 +13357,18 @@ - - + + -

Specify the permitted actions for each associated with the review, analysis, and reporting of audit record information.

+

Specify the permitted actions for each associated with the review, analysis, and reporting of audit record information.

Organizations specify permitted actions for system processes, roles, and users associated with the review, analysis, and reporting of audit records through system account management activities. Specifying permitted actions on audit record information is a way to enforce the principle of least privilege. Permitted actions are enforced by the system and include read, write, execute, append, and delete.

 -

the permitted actions for each associated with the review, analysis, and reporting of audit record information are specified.

+

the permitted actions for each associated with the review, analysis, and reporting of audit record information are specified.

 @@ -14168,12 +13402,8 @@ - - + + @@ -14225,12 +13455,8 @@ - - + + @@ -14288,12 +13514,8 @@ - - + + @@ -14382,22 +13604,18 @@ - -

fields within audit records that can be processed, sorted, or searched are defined;

- + +

fields within audit records that can be processed, sorted, or searched are defined;

+ - - + + -

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

+

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: .

Events of interest can be identified by the content of audit records, including system resources involved, information objects accessed, identities of individuals, event types, event locations, event dates and times, Internet Protocol addresses involved, or event success or failure. Organizations may define event criteria to any degree of granularity required, such as locations selectable by a general networking location or by specific system component.

@@ -14406,11 +13624,11 @@ -

the capability to process, sort, and search audit records for events of interest based on are provided;

+

the capability to process, sort, and search audit records for events of interest based on are provided;

 -

the capability to process, sort, and search audit records for events of interest based on are implemented.

+

the capability to process, sort, and search audit records for events of interest based on are implemented.

 @@ -14461,16 +13679,14 @@ - -

granularity of time measurement for audit record timestamps is defined;

- + +

granularity of time measurement for audit record timestamps is defined;

+ - + @@ -14482,7 +13698,7 @@ -

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

+

Record time stamps for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.

 @@ -14496,7 +13712,7 @@ -

timestamps are recorded for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.

+

timestamps are recorded for audit records that meet and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or include the local time offset as part of the timestamp.

 @@ -14552,16 +13768,14 @@ - -

personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;

- + +

personnel or roles to be alerted upon detection of unauthorized access, modification, or deletion of audit information is/are defined;

+ - + @@ -14586,7 +13800,7 @@ -

Alert upon detection of unauthorized access, modification, or deletion of audit information.

+

Alert upon detection of unauthorized access, modification, or deletion of audit information.

 @@ -14600,8 +13814,7 @@ -

- are alerted upon detection of unauthorized access, modification, or deletion of audit information.

+

are alerted upon detection of unauthorized access, modification, or deletion of audit information.

 @@ -14642,9 +13855,7 @@ - + @@ -14699,28 +13910,26 @@ - -

the frequency of storing audit records in a repository is defined;

- + +

the frequency of storing audit records in a repository is defined;

+ - + -

Store audit records in a repository that is part of a physically different system or system component than the system or component being audited.

+

Store audit records in a repository that is part of a physically different system or system component than the system or component being audited.

Storing audit records in a repository separate from the audited system or system component helps to ensure that a compromise of the system being audited does not also result in a compromise of the audit records. Storing audit records on separate physical systems or components also preserves the confidentiality and integrity of audit records and facilitates the management of audit records as an organization-wide activity. Storing audit records on separate systems or components applies to initial generation as well as backup or long-term storage of audit records.

 -

audit records are stored in a repository that is part of a physically different system or system component than the system or component being audited.

+

audit records are stored in a repository that is part of a physically different system or system component than the system or component being audited.

 @@ -14760,9 +13969,7 @@ - + @@ -14817,27 +14024,25 @@ - -

a subset of privileged users or roles authorized to access management of audit logging functionality is defined;

- + +

a subset of privileged users or roles authorized to access management of audit logging functionality is defined;

+ - + -

Authorize access to management of audit logging functionality to only .

+

Authorize access to management of audit logging functionality to only .

Individuals or roles with privileged access to a system and who are also the subject of an audit by that system may affect the reliability of the audit information by inhibiting audit activities or modifying audit records. Requiring privileged access to be further defined between audit-related privileges and other privileges limits the number of users or roles with audit-related privileges.

 -

access to management of audit logging functionality is authorized only to .

+

access to management of audit logging functionality is authorized only to .

 @@ -14888,30 +14093,26 @@ - -

audit information for which dual authorization is to be enforced is defined;

- + +

audit information for which dual authorization is to be enforced is defined;

+ - - + + -

Enforce dual authorization for of .

+

Enforce dual authorization for of .

Organizations may choose different selection options for different types of audit information. Dual authorization mechanisms (also known as two-person control) require the approval of two authorized individuals to execute audit functions. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. Organizations do not require dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.

 -

dual authorization is enforced for the of .

+

dual authorization is enforced for the of .

 @@ -14952,29 +14153,25 @@ - -

a subset of privileged users or roles with authorized read-only access to audit information is defined;

- + +

a subset of privileged users or roles with authorized read-only access to audit information is defined;

+ - - + + -

Authorize read-only access to audit information to .

+

Authorize read-only access to audit information to .

Restricting privileged user or role authorizations to read-only helps to limit the potential damage to organizations that could be initiated by such users or roles, such as deleting audit records to cover up malicious activity.

 -

read-only access to audit information is authorized to .

+

read-only access to audit information is authorized to .

 @@ -15016,9 +14213,7 @@ - + @@ -15072,24 +14267,18 @@ Non-repudiation - + - -

actions to be covered by non-repudiation are defined;

- + +

actions to be covered by non-repudiation are defined;

+ - - + + @@ -15105,14 +14294,14 @@ -

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed .

+

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed .

Types of individual actions covered by non-repudiation include creating information, sending and receiving messages, and approving information. Non-repudiation protects against claims by authors of not having authored certain documents, senders of not having transmitted messages, receivers of not having received messages, and signatories of not having signed documents. Non-repudiation services can be used to determine if information originated from an individual or if an individual took specific actions (e.g., sending an email, signing a contract, approving a procurement request, or receiving specific information). Organizations obtain non-repudiation services by employing various techniques or mechanisms, including digital signatures and digital message receipts.

 -

irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed .

+

irrefutable evidence is provided that an individual (or process acting on behalf of an individual) has performed .

 @@ -15150,26 +14339,22 @@ - -

the strength of binding between the identity of the information producer and the information is defined;

- + +

the strength of binding between the identity of the information producer and the information is defined;

+ - - + + -

Bind the identity of the information producer with the information to ; and

+

Bind the identity of the information producer with the information to ; and

 @@ -15183,7 +14368,7 @@ -

the identity of the information producer is bound with the information to ;

+

the identity of the information producer is bound with the information to ;

 @@ -15227,27 +14412,23 @@ - -

the frequency at which to validate the binding of the information producer identity to the information is defined;

- + +

the frequency at which to validate the binding of the information producer identity to the information is defined;

+ - -

the actions to be performed in the event of a validation error are defined;

- + +

the actions to be performed in the event of a validation error are defined;

+ - - + + @@ -15255,11 +14436,11 @@ -

Validate the binding of the information producer identity to the information at ; and

+

Validate the binding of the information producer identity to the information at ; and

 -

Perform in the event of a validation error.

+

Perform in the event of a validation error.

 @@ -15269,12 +14450,11 @@ -

the binding of the information producer identity to the information is validated at ;

+

the binding of the information producer identity to the information is validated at ;

 -

- in the event of a validation error are performed.

+

in the event of a validation error are performed.

 @@ -15314,15 +14494,9 @@ - - - + + + @@ -15374,38 +14548,34 @@ - -

security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;

- + +

security domains for which the binding of the information reviewer identity to the information is to be validated at transfer or release are defined;

+ - -

actions to be performed in the event of a validation error are defined;

- + +

actions to be performed in the event of a validation error are defined;

+ - - + + -

Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between ; and

+

Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between ; and

 -

Perform in the event of a validation error.

+

Perform in the event of a validation error.

 @@ -15415,12 +14585,11 @@ -

the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between is validated;

+

the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between is validated;

 -

- are performed in the event of a validation error.

+

are performed in the event of a validation error.

 @@ -15468,21 +14637,17 @@ Audit Record Retention - + - -

a time period to retain audit records that is consistent with the records retention policy is defined;

- + +

a time period to retain audit records that is consistent with the records retention policy is defined;

+ - + @@ -15494,14 +14659,14 @@ -

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+

Retain audit records for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

Organizations retain audit records until it is determined that the records are no longer needed for administrative, legal, audit, or other operational purposes. This includes the retention and availability of audit records relative to Freedom of Information Act (FOIA) requests, subpoenas, and law enforcement actions. Organizations develop standard categories of audit records relative to such types of actions and standard response processes for each type of action. The National Archives and Records Administration (NARA) General Records Schedules provide federal policy on records retention.

 -

audit records are retained for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

+

audit records are retained for to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

 @@ -15534,30 +14699,25 @@ - -

measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;

- + +

measures to be employed to ensure that long-term audit records generated by the system can be retrieved are defined;

+ - - + + -

Employ to ensure that long-term audit records generated by the system can be retrieved.

+

Employ to ensure that long-term audit records generated by the system can be retrieved.

Organizations need to access and read audit records requiring long-term storage (on the order of years). Measures employed to help facilitate the retrieval of audit records include converting records to newer formats, retaining equipment capable of reading the records, and retaining the necessary documentation to help personnel understand how to interpret the records.

 -

- are employed to ensure that long-term audit records generated by the system can be retrieved.

+

are employed to ensure that long-term audit records generated by the system can be retrieved.

 @@ -15599,24 +14759,22 @@ - -

system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;

- + +

system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;

+ - -

personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;

- + +

personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;

+ - + @@ -15639,30 +14797,29 @@ -

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

+

Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on ;

 -

Allow to select the event types that are to be logged by specific components of the system; and

+

Allow to select the event types that are to be logged by specific components of the system; and

 -

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

+

Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.

 -

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

+

Audit records can be generated from many different system components. The event types specified in AU-2d are the event types for which audit logs are to be generated and are a subset of all event types for which the system can generate audit records.

 -

audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by ;

+

audit record generation capability for the event types the system is capable of auditing (defined in AU-02_ODP[01]) is provided by ;

 -

- is/are allowed to select the event types that are to be logged by specific components of the system;

+

is/are allowed to select the event types that are to be logged by specific components of the system;

 @@ -15707,39 +14864,35 @@ - -

system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;

- + +

system components from which audit records are to be compiled into a system-wide (logical or physical) audit trail are defined;

+ - + - -

level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;

- + +

level of tolerance for the relationship between timestamps of individual records in the audit trail is defined;

+ - + -

Compile audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

+

Compile audit records from into a system-wide (logical or physical) audit trail that is time-correlated to within .

Audit trails are time-correlated if the time stamps in the individual audit records can be reliably related to the time stamps in other audit records to achieve a time ordering of the records within organizational tolerances.

 -

audit records from are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within .

+

audit records from are compiled into a system-wide (logical or physical) audit trail that is time-correlated to within .

 @@ -15779,9 +14932,7 @@ - +

Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

@@ -15832,44 +14983,42 @@ - -

individuals or roles authorized to change the logging on system components are defined;

- + +

individuals or roles authorized to change the logging on system components are defined;

+ - -

system components on which logging is to be performed are defined;

- + +

system components on which logging is to be performed are defined;

+ - -

selectable event criteria with which change logging is to be performed are defined;

- + +

selectable event criteria with which change logging is to be performed are defined;

+ - -

time thresholds in which logging actions are to change is defined;

- + +

time thresholds in which logging actions are to change is defined;

+ - + -

Provide and implement the capability for to change the logging to be performed on based on within .

+

Provide and implement the capability for to change the logging to be performed on based on within .

Permitting authorized individuals to make changes to system logging enables organizations to extend or limit logging as necessary to meet organizational requirements. Logging that is limited to conserve system resources may be extended (either temporarily or permanently) to address certain threat situations. In addition, logging may be limited to a specific set of event types to facilitate audit reduction, analysis, and reporting. Organizations can establish time thresholds in which logging actions are changed (e.g., near real-time, within minutes, or within hours).

@@ -15878,11 +15027,11 @@ -

the capability for to change the logging to be performed on based on within is provided;

+

the capability for to change the logging to be performed on based on within is provided;

 -

the capability for to change the logging to be performed on based on within is implemented.

+

the capability for to change the logging to be performed on based on within is implemented.

 @@ -15923,9 +15072,7 @@ - +

Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

@@ -15985,43 +15132,39 @@ - -

open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined;

- + +

open-source information and/or information sites to be monitored for evidence of unauthorized disclosure of organizational information is/are defined;

+ - -

the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;

- + +

the frequency with which open-source information and/or information sites are monitored for evidence of unauthorized disclosure of organizational information is defined;

+ - -

personnel or roles to be notified if an information disclosure is discovered is/are defined;

- + +

personnel or roles to be notified if an information disclosure is discovered is/are defined;

+ - -

additional actions to be taken if an information disclosure is discovered are defined;

- + +

additional actions to be taken if an information disclosure is discovered are defined;

+ - - + + @@ -16031,19 +15174,18 @@ -

Monitor - for evidence of unauthorized disclosure of organizational information; and

+

Monitor for evidence of unauthorized disclosure of organizational information; and

If an information disclosure is discovered:

-

Notify ; and

+

Notify ; and

 -

Take the following additional actions: .

+

Take the following additional actions: .

 @@ -16054,20 +15196,17 @@ -

- is/are monitored for evidence of unauthorized disclosure of organizational information;

+

is/are monitored for evidence of unauthorized disclosure of organizational information;

 -

- are notified if an information disclosure is discovered;

+

are notified if an information disclosure is discovered;

 -

- are taken if an information disclosure is discovered.

+

are taken if an information disclosure is discovered.

 @@ -16107,32 +15246,26 @@ - -

automated mechanisms for monitoring open-source information and information sites are defined;

- + +

automated mechanisms for monitoring open-source information and information sites are defined;

+ - - - + + + -

Monitor open-source information and information sites using .

+

Monitor open-source information and information sites using .

Automated mechanisms include commercial services that provide notifications and alerts to organizations and automated scripts to monitor new posts on websites.

 -

open-source information and information sites are monitored using .

+

open-source information and information sites are monitored using .

 @@ -16171,29 +15304,25 @@ - -

the frequency at which to review the open-source information sites being monitored is defined;

- + +

the frequency at which to review the open-source information sites being monitored is defined;

+ - - + + -

Review the list of open-source information sites being monitored .

+

Review the list of open-source information sites being monitored .

Reviewing the current list of open-source information sites being monitored on a regular basis helps to ensure that the selected sites remain relevant. The review also provides the opportunity to add new open-source information sites with the potential to provide evidence of unauthorized disclosure of organizational information. The list of sites monitored can be guided and informed by threat intelligence of other credible sources of information.

 -

the list of open-source information sites being monitored is reviewed .

+

the list of open-source information sites being monitored is reviewed .

 @@ -16231,15 +15360,9 @@ - - - + + +

Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.

@@ -16290,9 +15413,9 @@ - -

users or roles who can audit the content of a user session are defined;

- + +

users or roles who can audit the content of a user session are defined;

+ @@ -16308,19 +15431,15 @@ - -

circumstances under which the content of a user session can be audited are defined;

- + +

circumstances under which the content of a user session can be audited are defined;

+ - - + + @@ -16334,7 +15453,7 @@ -

Provide and implement the capability for to the content of a user session under ; and

+

Provide and implement the capability for to the content of a user session under ; and

 @@ -16350,12 +15469,11 @@ -

- are provided with the capability to the content of a user session under ;

+

are provided with the capability to the content of a user session under ;

 -

the capability for to the content of a user session under is implemented;

+

the capability for to the content of a user session under is implemented;

 @@ -16411,12 +15529,8 @@ - - + +

Initiate session audits automatically at system start-up.

@@ -16472,12 +15586,8 @@ - - + + @@ -16545,39 +15655,36 @@ - -

methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;

- + +

methods for coordinating audit information among external organizations when audit information is transmitted across organizational boundaries are defined;

+ - -

audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;

- + +

audit information to be coordinated among external organizations when audit information is transmitted across organizational boundaries is defined;

+ - + -

Employ for coordinating among external organizations when audit information is transmitted across organizational boundaries.

+

Employ for coordinating among external organizations when audit information is transmitted across organizational boundaries.

When organizations use systems or services of external organizations, the audit logging capability necessitates a coordinated, cross-organization approach. For example, maintaining the identity of individuals who request specific services across organizational boundaries may often be difficult, and doing so may prove to have significant performance and privacy ramifications. Therefore, it is often the case that cross-organizational audit logging simply captures the identity of individuals who issue requests at the initial system, and subsequent systems record that the requests originated from authorized individuals. Organizations consider including processes for coordinating audit information requirements and protection of audit information in information exchange agreements.

 -

- for coordinating among external organizations when audit information is transmitted across organizational boundaries are employed.

+

for coordinating among external organizations when audit information is transmitted across organizational boundaries are employed.

 @@ -16613,9 +15720,7 @@ - + @@ -16667,36 +15772,34 @@ - -

organizations with which cross-organizational audit information is to be shared are defined;

- + +

organizations with which cross-organizational audit information is to be shared are defined;

+ - -

cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined;

- + +

cross-organizational sharing agreements to be used when providing cross-organizational audit information to organizations are defined;

+ - + -

Provide cross-organizational audit information to based on .

+

Provide cross-organizational audit information to based on .

Due to the distributed nature of the audit information, cross-organization sharing of audit information may be essential for effective analysis of the auditing being performed. For example, the audit records of one organization may not provide sufficient information to determine the appropriate or inappropriate use of organizational information resources by individuals in other organizations. In some instances, only individuals’ home organizations have the appropriate knowledge to make such determinations, thus requiring the sharing of audit information among organizations.

 -

cross-organizational audit information is provided to based on .

+

cross-organizational audit information is provided to based on .

 @@ -16725,27 +15828,24 @@ - -

measures to disassociate individuals from audit information transmitted across organizational boundaries are defined;

- + +

measures to disassociate individuals from audit information transmitted across organizational boundaries are defined;

+ - + -

Implement to disassociate individuals from audit information transmitted across organizational boundaries.

+

Implement to disassociate individuals from audit information transmitted across organizational boundaries.

Preserving identities in audit trails could have privacy ramifications, such as enabling the tracking and profiling of individuals, but may not be operationally necessary. These risks could be further amplified when transmitting information across organizational boundaries. Implementing privacy-enhancing cryptographic techniques can disassociate individuals from audit information and reduce privacy risk while maintaining accountability.

 -

- are implemented to disassociate individuals from audit information transmitted across organizational boundaries.

+

are implemented to disassociate individuals from audit information transmitted across organizational boundaries.

 @@ -16785,27 +15885,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the assessment, authorization, and monitoring policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the assessment, authorization, and monitoring procedures are to be disseminated is/are defined;

+ @@ -16820,51 +15916,47 @@ - -

an official to manage the assessment, authorization, and monitoring policy and procedures is defined;

- + +

an official to manage the assessment, authorization, and monitoring policy and procedures is defined;

+ - -

the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;

- + +

the frequency at which the current assessment, authorization, and monitoring policy is reviewed and updated is defined;

+ - -

events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;

- + +

events that would require the current assessment, authorization, and monitoring policy to be reviewed and updated are defined;

+ - -

the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;

- + +

the frequency at which the current assessment, authorization, and monitoring procedures are reviewed and updated is defined;

+ - -

events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

- + +

events that would require assessment, authorization, and monitoring procedures to be reviewed and updated are defined;

+ - - + + @@ -16881,11 +15973,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- assessment, authorization, and monitoring policy that:

+

assessment, authorization, and monitoring policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -16902,18 +15993,18 @@ -

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and

Review and update the current assessment, authorization, and monitoring:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -16930,7 +16021,7 @@ -

the assessment, authorization, and monitoring policy is disseminated to ;

+

the assessment, authorization, and monitoring policy is disseminated to ;

 @@ -16938,7 +16029,7 @@ -

the assessment, authorization, and monitoring procedures are disseminated to ;

+

the assessment, authorization, and monitoring procedures are disseminated to ;

 @@ -16946,42 +16037,42 @@ -

the assessment, authorization, and monitoring policy addresses purpose;

+

the assessment, authorization, and monitoring policy addresses purpose;

 -

the assessment, authorization, and monitoring policy addresses scope;

+

the assessment, authorization, and monitoring policy addresses scope;

 -

the assessment, authorization, and monitoring policy addresses roles;

+

the assessment, authorization, and monitoring policy addresses roles;

 -

the assessment, authorization, and monitoring policy addresses responsibilities;

+

the assessment, authorization, and monitoring policy addresses responsibilities;

 -

the assessment, authorization, and monitoring policy addresses management commitment;

+

the assessment, authorization, and monitoring policy addresses management commitment;

 -

the assessment, authorization, and monitoring policy addresses coordination among organizational entities;

+

the assessment, authorization, and monitoring policy addresses coordination among organizational entities;

 -

the assessment, authorization, and monitoring policy addresses compliance;

+

the assessment, authorization, and monitoring policy addresses compliance;

 -

the assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+

the assessment, authorization, and monitoring policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures;

 @@ -16989,22 +16080,22 @@ -

the current assessment, authorization, and monitoring policy is reviewed and updated ;

+

the current assessment, authorization, and monitoring policy is reviewed and updated ;

-

the current assessment, authorization, and monitoring policy is reviewed and updated following ;

+

the current assessment, authorization, and monitoring policy is reviewed and updated following ;

 -

the current assessment, authorization, and monitoring procedures are reviewed and updated ;

+

the current assessment, authorization, and monitoring procedures are reviewed and updated ;

-

the current assessment, authorization, and monitoring procedures are reviewed and updated following .

+

the current assessment, authorization, and monitoring procedures are reviewed and updated following .

 @@ -17035,27 +16126,23 @@ - -

the frequency at which to assess controls in the system and its environment of operation is defined;

- + +

the frequency at which to assess controls in the system and its environment of operation is defined;

+ - -

individuals or roles to whom control assessment results are to be provided are defined;

- + +

individuals or roles to whom control assessment results are to be provided are defined;

+ - - + + @@ -17106,7 +16193,7 @@ -

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

+

Assess the controls in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;

 @@ -17114,7 +16201,7 @@ -

Provide the results of the control assessment to .

+

Provide the results of the control assessment to .

 @@ -17122,7 +16209,7 @@

Organizations assess controls in systems and the environments in which those systems operate as part of initial and ongoing authorizations, continuous monitoring, FISMA annual assessments, system design and development, systems security engineering, privacy engineering, and the system development life cycle. Assessments help to ensure that organizations meet information security and privacy requirements, identify weaknesses and deficiencies in the system design and development process, provide essential information needed to make risk-based decisions as part of authorization processes, and comply with vulnerability mitigation procedures. Organizations conduct assessments on the implemented controls as documented in security and privacy plans. Assessments can also be conducted throughout the system development life cycle as part of systems engineering and systems security engineering processes. The design for controls can be assessed as RFPs are developed, responses assessed, and design reviews conducted. If a design to implement controls and subsequent implementation in accordance with the design are assessed during development, the final control testing can be a simple confirmation utilizing previously completed control assessment and aggregating the outcomes.

Organizations may develop a single, consolidated security and privacy assessment plan for the system or maintain separate plans. A consolidated assessment plan clearly delineates the roles and responsibilities for control assessment. If multiple organizations participate in assessing a system, a coordinated approach can reduce redundancies and associated costs.

Organizations can use other types of assessment activities, such as vulnerability scanning and system monitoring, to maintain the security and privacy posture of systems during the system life cycle. Assessment reports document assessment results in sufficient detail, as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting requirements. Assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of authorization decisions are provided to authorizing officials, senior agency officials for privacy, senior agency information security officers, and authorizing official designated representatives.

-

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

+

To satisfy annual assessment requirements, organizations can use assessment results from the following sources: initial or ongoing system authorizations, continuous monitoring, systems engineering processes, or system development life cycle activities. Organizations ensure that assessment results are current, relevant to the determination of control effectiveness, and obtained with the appropriate level of assessor independence. Existing control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. After the initial authorizations, organizations assess controls during continuous monitoring. Organizations also establish the frequency for ongoing assessments in accordance with organizational continuous monitoring strategies. External audits, including audits by external entities such as regulatory agencies, are outside of the scope of CA-2.

 @@ -17164,11 +16251,11 @@ -

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

+

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;

 -

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

+

controls are assessed in the system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established privacy requirements;

 @@ -17177,7 +16264,7 @@ -

the results of the control assessment are provided to .

+

the results of the control assessment are provided to .

 @@ -17214,12 +16301,8 @@ - - + +

Employ independent assessors or assessment teams to conduct control assessments.

@@ -17264,9 +16347,9 @@ - -

frequency at which to include specialized assessments as part of the control assessment is defined;

- + +

frequency at which to include specialized assessments as part of the control assessment is defined;

+ @@ -17288,43 +16371,34 @@ insider threat assessment performance and load testing data leakage or data loss assessment - - - + - -

other forms of assessment are defined (if selected);

- + +

other forms of assessment are defined (if selected);

+ - - + + -

Include as part of control assessments, , , .

+

Include as part of control assessments, , , .

Organizations can conduct specialized assessments, including verification and validation, system monitoring, insider threat assessments, malicious user testing, and other forms of testing. These assessments can improve readiness by exercising organizational capabilities and indicating current levels of performance as a means of focusing actions to improve security and privacy. Organizations conduct specialized assessments in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can include vulnerabilities uncovered during assessments into vulnerability remediation processes. Specialized assessments can also be conducted early in the system development life cycle (e.g., during initial design, development, and unit testing).

 -

- - - are included as part of control assessments.

+

are included as part of control assessments.

 @@ -17363,46 +16437,42 @@ - -

external organizations from which the results of control assessments are leveraged are defined;

- + +

external organizations from which the results of control assessments are leveraged are defined;

+ - -

system on which a control assessment was performed by an external organization is defined;

- + +

system on which a control assessment was performed by an external organization is defined;

+ - -

requirements to be met by the control assessment performed by an external organization on the system are defined;

- + +

requirements to be met by the control assessment performed by an external organization on the system are defined;

+ - - + + -

Leverage the results of control assessments performed by on when the assessment meets .

+

Leverage the results of control assessments performed by on when the assessment meets .

 -

Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program ISO 15408-1 , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage.

+

Organizations may rely on control assessments of organizational systems by other (external) organizations. Using such assessments and reusing existing assessment evidence can decrease the time and resources required for assessments by limiting the independent assessment activities that organizations need to perform. The factors that organizations consider in determining whether to accept assessment results from external organizations can vary. Such factors include the organization’s past experience with the organization that conducted the assessment, the reputation of the assessment organization, the level of detail of supporting assessment evidence provided, and mandates imposed by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Accredited testing laboratories that support the Common Criteria Program ISO 15408-1 , the NIST Cryptographic Module Validation Program (CMVP), or the NIST Cryptographic Algorithm Validation Program (CAVP) can provide independent assessment results that organizations can leverage.

 -

the results of control assessments performed by on are leveraged when the assessment meets .

+

the results of control assessments performed by on are leveraged when the assessment meets .

 @@ -17443,36 +16513,30 @@ service level agreements user agreements non-disclosure agreements - - - + - -

the type of agreement used to approve and manage the exchange of information is defined (if selected);

- + +

the type of agreement used to approve and manage the exchange of information is defined (if selected);

+ - -

the frequency at which to review and update agreements is defined;

- + +

the frequency at which to review and update agreements is defined;

+ - - + + @@ -17491,7 +16555,7 @@ -

Approve and manage the exchange of information between the system and other systems using ;

+

Approve and manage the exchange of information between the system and other systems using ;

 @@ -17499,18 +16563,18 @@ -

Review and update the agreements .

+

Review and update the agreements .

 -

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

-

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

+

System information exchange requirements apply to information exchanges between two or more systems. System information exchanges include connections via leased lines or virtual private networks, connections to internet service providers, database sharing or exchanges of database transaction information, connections and exchanges with cloud services, exchanges via web-based services, or exchanges of files via file transfer protocols, network protocols (e.g., IPv4, IPv6), email, or other organization-to-organization communications. Organizations consider the risk related to new or increased threats that may be introduced when systems exchange information with other systems that may have different security and privacy requirements and controls. This includes systems within the same organization and systems that are external to the organization. A joint authorization of the systems exchanging information, as described in CA-6(1) or CA-6(2) , may help to communicate and reduce risk.

+

Authorizing officials determine the risk associated with system information exchange and the controls needed for appropriate risk mitigation. The types of agreements selected are based on factors such as the impact level of the information being exchanged, the relationship between the organizations exchanging information (e.g., government to government, government to business, business to business, government or business to service provider, government or business to individual), or the level of access to the organizational system by users of the other system. If systems that exchange information have the same authorizing official, organizations need not develop agreements. Instead, the interface characteristics between the systems (e.g., how the information is being exchanged. how the information is protected) are described in the respective security and privacy plans. If the systems that exchange information have different authorizing officials within the same organization, the organizations can develop agreements or provide the same information that would be provided in the appropriate agreement type from CA-3a in the respective security and privacy plans for the systems. Organizations may incorporate agreement information into formal contracts, especially for information exchanges established between federal agencies and nonfederal organizations (including service providers, contractors, system developers, and system integrators). Risk considerations include systems that share the same networks.

 -

the exchange of information between the system and other systems is approved and managed using ;

+

the exchange of information between the system and other systems is approved and managed using ;

 @@ -17541,7 +16605,7 @@ -

agreements are reviewed and updated .

+

agreements are reviewed and updated .

 @@ -17619,15 +16683,9 @@ - - - + + + @@ -17685,21 +16743,15 @@ - - - + + + -

Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a ; and

+

Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a ; and

 @@ -17707,7 +16759,7 @@ -

Transitive or downstream information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission-essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential to understanding the security and privacy risks resulting from those information exchanges. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges, which can make the organizational systems more susceptible to threats, hazards, and adverse impacts.

+

Transitive or downstream information exchanges are information exchanges between the system or systems with which the organizational system exchanges information and other systems. For mission-essential systems, services, and applications, including high value assets, it is necessary to identify such information exchanges. The transparency of the controls or protection measures in place in such downstream systems connected directly or indirectly to organizational systems is essential to understanding the security and privacy risks resulting from those information exchanges. Organizational systems can inherit risk from downstream systems through transitive connections and information exchanges, which can make the organizational systems more susceptible to threats, hazards, and adverse impacts.

 @@ -17773,19 +16825,15 @@ - -

the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;

- + +

the frequency at which to update an existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities is defined;

+ - - + + @@ -17802,7 +16850,7 @@ -

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+

Update existing plan of action and milestones based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

 @@ -17816,7 +16864,7 @@ -

existing plan of action and milestones are updated based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

+

existing plan of action and milestones are updated based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

 @@ -17855,30 +16903,25 @@ - -

automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined;

- + +

automated mechanisms used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system are defined;

+ - - + + -

Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using .

+

Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using .

Using automated tools helps maintain the accuracy, currency, and availability of the plan of action and milestones and facilitates the coordination and sharing of security and privacy information throughout the organization. Such coordination and information sharing help to identify systemic weaknesses or deficiencies in organizational systems and ensure that appropriate resources are directed at the most critical system vulnerabilities in a timely manner.

 -

- are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.

+

are used to ensure the accuracy, currency, and availability of the plan of action and milestones for the system.

 @@ -17918,19 +16961,15 @@ - -

frequency at which to update the authorizations is defined;

- + +

frequency at which to update the authorizations is defined;

+ - - + + @@ -17969,7 +17008,7 @@ -

Update the authorizations .

+

Update the authorizations .

 @@ -18003,7 +17042,7 @@ -

the authorizations are updated .

+

the authorizations are updated .

 @@ -18037,12 +17076,8 @@ - - + + @@ -18097,12 +17132,8 @@ - - + + @@ -18156,84 +17187,72 @@ Continuous Monitoring - - + + - - + + - -

system-level metrics to be monitored are defined;

- + +

system-level metrics to be monitored are defined;

+ - -

frequencies at which to monitor control effectiveness are defined;

- + +

frequencies at which to monitor control effectiveness are defined;

+ - -

frequencies at which to assess control effectiveness are defined;

- + +

frequencies at which to assess control effectiveness are defined;

+ - -

personnel or roles to whom the security status of the system is reported are defined;

- + +

personnel or roles to whom the security status of the system is reported are defined;

+ - -

frequency at which the security status of the system is reported is defined;

- + +

frequency at which the security status of the system is reported is defined;

+ - -

personnel or roles to whom the privacy status of the system is reported are defined;

- + +

personnel or roles to whom the privacy status of the system is reported are defined;

+ - -

frequency at which the privacy status of the system is reported is defined;

- + +

frequency at which the privacy status of the system is reported is defined;

+ - - + + @@ -18297,11 +17316,11 @@

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

-

Establishing the following system-level metrics to be monitored: ;

+

Establishing the following system-level metrics to be monitored: ;

 -

Establishing for monitoring and for assessment of control effectiveness;

+

Establishing for monitoring and for assessment of control effectiveness;

 @@ -18321,13 +17340,12 @@ -

Reporting the security and privacy status of the system to - .

+

Reporting the security and privacy status of the system to .

 -

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

-

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

+

Continuous monitoring at the system level facilitates ongoing awareness of the system security and privacy posture to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring generate risk response actions by organizations. When monitoring the effectiveness of multiple controls that have been grouped into capabilities, a root-cause analysis may be needed to determine the specific control that has failed. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security and privacy information on a continuing basis through reports and dashboards gives organizational officials the ability to make effective and timely risk management decisions, including ongoing authorization decisions.

+

Automation supports more frequent updates to hardware, software, and firmware inventories, authorization packages, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of systems. Monitoring requirements, including the need for specific monitoring, may be referenced in other controls and control enhancements, such as AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PM-31, PS-7e, SA-9c, SR-4, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b , and SI-4.

 @@ -18341,17 +17359,17 @@ -

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: ;

+

system-level continuous monitoring includes establishment of the following system-level metrics to be monitored: ;

 -

system-level continuous monitoring includes established for monitoring;

+

system-level continuous monitoring includes established for monitoring;

 -

system-level continuous monitoring includes established for assessment of control effectiveness;

+

system-level continuous monitoring includes established for assessment of control effectiveness;

 @@ -18374,13 +17392,11 @@ -

system-level continuous monitoring includes reporting the security status of the system to - ;

+

system-level continuous monitoring includes reporting the security status of the system to ;

 -

system-level continuous monitoring includes reporting the privacy status of the system to - .

+

system-level continuous monitoring includes reporting the privacy status of the system to .

 @@ -18427,12 +17443,8 @@ - - + +

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

@@ -18484,12 +17496,8 @@ - - + +

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.

@@ -18552,15 +17560,9 @@ - - - + + +

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

@@ -18633,40 +17635,32 @@ Consistency Analysis - - + + - -

actions to validate that policies are established are defined;

- + +

actions to validate that policies are established are defined;

+ - -

actions to validate that implemented controls are operating in a consistent manner are defined;

- + +

actions to validate that implemented controls are operating in a consistent manner are defined;

+ - - + + -

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: .

+

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: .

Security and privacy controls are often added incrementally to a system. As a result, policies for selecting and implementing controls may be inconsistent, and the controls could fail to work together in a consistent or coordinated manner. At a minimum, the lack of consistency and coordination could mean that there are unacceptable security and privacy gaps in the system. At worst, it could mean that some of the controls implemented in one location or by one component are actually impeding the functionality of other controls (e.g., encrypting internal network traffic can impede monitoring). In other situations, failing to consistently monitor all implemented network protocols (e.g., a dual stack of IPv4 and IPv6) may create unintended vulnerabilities in the system that could be exploited by adversaries. It is important to validate—through testing, monitoring, and analysis—that the implemented controls are operating in a consistent, coordinated, non-interfering manner.

@@ -18675,13 +17669,11 @@ -

- are employed to validate that policies are established;

+

are employed to validate that policies are established;

 -

- are employed to validate that implemented controls are operating in a consistent manner.

+

are employed to validate that implemented controls are operating in a consistent manner.

 @@ -18723,33 +17715,26 @@ - -

automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are defined;

- + +

automated mechanisms used to ensure the accuracy, currency, and availability of monitoring results for the system are defined;

+ - - - + + + -

Ensure the accuracy, currency, and availability of monitoring results for the system using .

+

Ensure the accuracy, currency, and availability of monitoring results for the system using .

Using automated tools for monitoring helps to maintain the accuracy, currency, and availability of monitoring information which in turns helps to increase the level of ongoing awareness of the system security and privacy posture in support of organizational risk management decisions.

 -

- are used to ensure the accuracy, currency, and availability of monitoring results for the system.

+

are used to ensure the accuracy, currency, and availability of monitoring results for the system.

 @@ -18792,37 +17777,31 @@ - -

frequency at which to conduct penetration testing on systems or system components is defined;

- + +

frequency at which to conduct penetration testing on systems or system components is defined;

+ - + - -

systems or system components on which penetration testing is to be conducted are defined;

- + +

systems or system components on which penetration testing is to be conducted are defined;

+ - - + + -

Conduct penetration testing on .

+

Conduct penetration testing on .

Penetration testing is a specialized type of assessment conducted on systems or individual system components to identify vulnerabilities that could be exploited by adversaries. Penetration testing goes beyond automated vulnerability scanning and is conducted by agents and teams with demonstrable skills and experience that include technical expertise in network, operating system, and/or application level security. Penetration testing can be used to validate vulnerabilities or determine the degree of penetration resistance of systems to adversaries within specified constraints. Such constraints include time, resources, and skills. Penetration testing attempts to duplicate the actions of adversaries and provides a more in-depth analysis of security- and privacy-related weaknesses or deficiencies. Penetration testing is especially important when organizations are transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

@@ -18830,7 +17809,7 @@ -

penetration testing is conducted on .

+

penetration testing is conducted on .

 @@ -18868,19 +17847,15 @@ - - + +

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

 -

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.

+

Independent penetration testing agents or teams are individuals or groups who conduct impartial penetration testing of organizational systems. Impartiality implies that penetration testing agents or teams are free from perceived or actual conflicts of interest with respect to the development, operation, or management of the systems that are the targets of the penetration testing. CA-2(1) provides additional information on independent assessments that can be applied to penetration testing.

 @@ -18916,30 +17891,25 @@ - -

red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;

- + +

red team exercises to simulate attempts by adversaries to compromise organizational systems are defined;

+ - - + + -

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: .

+

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: .

Red team exercises extend the objectives of penetration testing by examining the security and privacy posture of organizations and the capability to implement effective cyber defenses. Red team exercises simulate attempts by adversaries to compromise mission and business functions and provide a comprehensive assessment of the security and privacy posture of systems and organizations. Such attempts may include technology-based attacks and social engineering-based attacks. Technology-based attacks include interactions with hardware, software, or firmware components and/or mission and business processes. Social engineering-based attacks include interactions via email, telephone, shoulder surfing, or personal conversations. Red team exercises are most effective when conducted by penetration testing agents and teams with knowledge of and experience with current adversarial tactics, techniques, procedures, and tools. While penetration testing may be primarily laboratory-based testing, organizations can use red team exercises to provide more comprehensive assessments that reflect real-world conditions. The results from red team exercises can be used by organizations to improve security and privacy awareness and training and to assess control effectiveness.

 -

- are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.

+

are employed to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement.

 @@ -18982,9 +17952,9 @@ - -

frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined;

- + +

frequency at which to employ penetration testing that attempts to bypass or circumvent controls associated with physical access points to the facility is defined;

+ @@ -18997,26 +17967,20 @@ - - + + -

Employ a penetration testing process that includes - attempts to bypass or circumvent controls associated with physical access points to the facility.

+

Employ a penetration testing process that includes attempts to bypass or circumvent controls associated with physical access points to the facility.

Penetration testing of physical access points can provide information on critical vulnerabilities in the operating environments of organizational systems. Such information can be used to correct weaknesses or deficiencies in physical controls that are necessary to protect organizational systems.

 -

the penetration testing process includes - attempts to bypass or circumvent controls associated with physical access points to facility.

+

the penetration testing process includes attempts to bypass or circumvent controls associated with physical access points to facility.

 @@ -19058,40 +18022,34 @@ Internal System Connections - + - -

system components or classes of components requiring internal connections to the system are defined;

- + +

system components or classes of components requiring internal connections to the system are defined;

+ - -

conditions requiring termination of internal connections are defined;

- + +

conditions requiring termination of internal connections are defined;

+ - -

frequency at which to review the continued need for each internal connection is defined;

- + +

frequency at which to review the continued need for each internal connection is defined;

+ - - + + @@ -19105,7 +18063,7 @@ -

Authorize internal connections of to the system;

+

Authorize internal connections of to the system;

 @@ -19113,11 +18071,11 @@ -

Terminate internal system connections after ; and

+

Terminate internal system connections after ; and

 -

Review the continued need for each internal connection.

+

Review the continued need for each internal connection.

 @@ -19127,7 +18085,7 @@ -

internal connections of to the system are authorized;

+

internal connections of to the system are authorized;

 @@ -19150,11 +18108,11 @@ -

internal system connections are terminated after ;

+

internal system connections are terminated after ;

 -

the continued need for each internal connection is reviewed .

+

the continued need for each internal connection is reviewed .

 @@ -19195,15 +18153,9 @@ - - - + + + @@ -19264,27 +18216,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the configuration management policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the configuration management policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;

+ @@ -19299,51 +18247,47 @@ - -

an official to manage the configuration management policy and procedures is defined;

- + +

an official to manage the configuration management policy and procedures is defined;

+ - -

the frequency at which the current configuration management policy is reviewed and updated is defined;

- + +

the frequency at which the current configuration management policy is reviewed and updated is defined;

+ - -

events that would require the current configuration management policy to be reviewed and updated are defined;

- + +

events that would require the current configuration management policy to be reviewed and updated are defined;

+ - -

the frequency at which the current configuration management procedures are reviewed and updated is defined;

- + +

the frequency at which the current configuration management procedures are reviewed and updated is defined;

+ - -

events that would require configuration management procedures to be reviewed and updated are defined;

- + +

events that would require configuration management procedures to be reviewed and updated are defined;

+ - - + + @@ -19356,11 +18300,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- configuration management policy that:

+

configuration management policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -19377,18 +18320,18 @@ -

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

Review and update the current configuration management:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -19405,7 +18348,7 @@ -

the configuration management policy is disseminated to ;

+

the configuration management policy is disseminated to ;

 @@ -19413,7 +18356,7 @@ -

the configuration management procedures are disseminated to ;

+

the configuration management procedures are disseminated to ;

 @@ -19421,31 +18364,31 @@ -

the of the configuration management policy addresses purpose;

+

the of the configuration management policy addresses purpose;

 -

the of the configuration management policy addresses scope;

+

the of the configuration management policy addresses scope;

 -

the of the configuration management policy addresses roles;

+

the of the configuration management policy addresses roles;

 -

the of the configuration management policy addresses responsibilities;

+

the of the configuration management policy addresses responsibilities;

 -

the of the configuration management policy addresses management commitment;

+

the of the configuration management policy addresses management commitment;

 -

the of the configuration management policy addresses coordination among organizational entities;

+

the of the configuration management policy addresses coordination among organizational entities;

 -

the of the configuration management policy addresses compliance;

+

the of the configuration management policy addresses compliance;

 @@ -19456,7 +18399,7 @@ -

the is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;

 @@ -19464,22 +18407,22 @@ -

the current configuration management policy is reviewed and updated ;

+

the current configuration management policy is reviewed and updated ;

-

the current configuration management policy is reviewed and updated following ;

+

the current configuration management policy is reviewed and updated following ;

 -

the current configuration management procedures are reviewed and updated ;

+

the current configuration management procedures are reviewed and updated ;

-

the current configuration management procedures are reviewed and updated following .

+

the current configuration management procedures are reviewed and updated following .

 @@ -19513,27 +18456,23 @@ - -

the frequency of baseline configuration review and update is defined;

- + +

the frequency of baseline configuration review and update is defined;

+ - -

the circumstances requiring baseline configuration review and update are defined;

- + +

the circumstances requiring baseline configuration review and update are defined;

+ - - + + @@ -19565,12 +18504,11 @@

Review and update the baseline configuration of the system:

-

- ;

+

;

 -

When required due to ; and

+

When required due to ; and

 @@ -19598,11 +18536,11 @@ -

the baseline configuration of the system is reviewed and updated ;

+

the baseline configuration of the system is reviewed and updated ;

 -

the baseline configuration of the system is reviewed and updated when required due to ;

+

the baseline configuration of the system is reviewed and updated when required due to ;

 @@ -19659,46 +18597,42 @@ - -

automated mechanisms for maintaining baseline configuration of the system are defined;

- + +

automated mechanisms for maintaining baseline configuration of the system are defined;

+ - - + + -

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

+

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using .

 -

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

+

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels. Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

 -

the currency of the baseline configuration of the system is maintained using ;

+

the currency of the baseline configuration of the system is maintained using ;

 -

the completeness of the baseline configuration of the system is maintained using ;

+

the completeness of the baseline configuration of the system is maintained using ;

 -

the accuracy of the baseline configuration of the system is maintained using ;

+

the accuracy of the baseline configuration of the system is maintained using ;

 -

the availability of the baseline configuration of the system is maintained using .

+

the availability of the baseline configuration of the system is maintained using .

 @@ -19741,30 +18675,25 @@ - -

the number of previous baseline configuration versions to be retained is defined;

- + +

the number of previous baseline configuration versions to be retained is defined;

+ - - + + -

Retain of previous versions of baseline configurations of the system to support rollback.

+

Retain of previous versions of baseline configurations of the system to support rollback.

Retaining previous versions of baseline configurations to support rollback include hardware, software, firmware, configuration files, configuration records, and associated documentation.

 -

- of previous baseline configuration version(s) of the system is/are retained to support rollback.

+

of previous baseline configuration version(s) of the system is/are retained to support rollback.

 @@ -19818,12 +18747,8 @@ - - + + @@ -19883,62 +18808,56 @@ - -

the systems or system components to be issued when individuals travel to high-risk areas are defined;

- + +

the systems or system components to be issued when individuals travel to high-risk areas are defined;

+ - -

configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;

- + +

configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;

+ - -

the controls to be applied when the individuals return from travel are defined;

- + +

the controls to be applied when the individuals return from travel are defined;

+ - - + + -

Issue with to individuals traveling to locations that the organization deems to be of significant risk; and

+

Issue with to individuals traveling to locations that the organization deems to be of significant risk; and

 -

Apply the following controls to the systems or components when the individuals return from travel: .

+

Apply the following controls to the systems or components when the individuals return from travel: .

 -

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

+

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed. Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

 -

- with are issued to individuals traveling to locations that the organization deems to be of significant risk;

+

with are issued to individuals traveling to locations that the organization deems to be of significant risk;

 -

- are applied to the systems or system components when the individuals return from travel.

+

are applied to the systems or system components when the individuals return from travel.

 @@ -19983,54 +18902,47 @@ - -

the time period to retain records of configuration-controlled changes is defined;

- + +

the time period to retain records of configuration-controlled changes is defined;

+ - -

the configuration change control element responsible for coordinating and overseeing change control activities is defined;

- + +

the configuration change control element responsible for coordinating and overseeing change control activities is defined;

+ - -

the frequency at which the configuration control element convenes is defined (if selected);

- + +

the frequency at which the configuration control element convenes is defined (if selected);

+ - -

configuration change conditions that prompt the configuration control element to convene are defined (if selected);

- + +

configuration change conditions that prompt the configuration control element to convene are defined (if selected);

+ - - + + @@ -20076,7 +18988,7 @@ -

Retain records of configuration-controlled changes to the system for ;

+

Retain records of configuration-controlled changes to the system for ;

 @@ -20084,11 +18996,11 @@ -

Coordinate and provide oversight for configuration change control activities through that convenes .

+

Coordinate and provide oversight for configuration change control activities through that convenes .

 -

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

+

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

 @@ -20117,7 +19029,7 @@ -

records of configuration-controlled changes to the system are retained for ;

+

records of configuration-controlled changes to the system are retained for ;

 @@ -20134,11 +19046,11 @@ -

configuration change control activities are coordinated and overseen by ;

+

configuration change control activities are coordinated and overseen by ;

 -

the configuration control element convenes .

+

the configuration control element convenes .

 @@ -20185,57 +19097,53 @@ - -

mechanisms used to automate configuration change control are defined;

- + +

mechanisms used to automate configuration change control are defined;

+ - -

approval authorities to be notified of and request approval for proposed changes to the system are defined;

- + +

approval authorities to be notified of and request approval for proposed changes to the system are defined;

+ - -

the time period after which to highlight changes that have not been approved or disapproved is defined;

- + +

the time period after which to highlight changes that have not been approved or disapproved is defined;

+ - -

personnel to be notified when approved changes are complete is/are defined;

- + +

personnel to be notified when approved changes are complete is/are defined;

+ - - + + -

Use to:

+

Use to:

Document proposed changes to the system;

 -

Notify of proposed changes to the system and request change approval;

+

Notify of proposed changes to the system and request change approval;

 -

Highlight proposed changes to the system that have not been approved or disapproved within ;

+

Highlight proposed changes to the system that have not been approved or disapproved within ;

 @@ -20247,7 +19155,7 @@ -

Notify when approved changes to the system are completed.

+

Notify when approved changes to the system are completed.

 @@ -20257,33 +19165,27 @@ -

- are used to document proposed changes to the system;

+

are used to document proposed changes to the system;

 -

- are used to notify of proposed changes to the system and request change approval;

+

are used to notify of proposed changes to the system and request change approval;

 -

- are used to highlight proposed changes to the system that have not been approved or disapproved within ;

+

are used to highlight proposed changes to the system that have not been approved or disapproved within ;

 -

- are used to prohibit changes to the system until designated approvals are received;

+

are used to prohibit changes to the system until designated approvals are received;

 -

- are used to document all changes to the system;

+

are used to document all changes to the system;

 -

- are used to notify when approved changes to the system are completed.

+

are used to notify when approved changes to the system are completed.

 @@ -20330,18 +19232,14 @@ - - + +

Test, validate, and document changes to the system before finalizing the implementation of the changes.

 -

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6 . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

+

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6 . Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

 @@ -20402,19 +19300,17 @@ - -

mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed base are defined;

- + +

mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed base are defined;

+ - + -

Implement changes to the current system baseline and deploy the updated baseline across the installed base using .

+

Implement changes to the current system baseline and deploy the updated baseline across the installed base using .

Automated tools can improve the accuracy, consistency, and availability of configuration baseline information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization.

@@ -20423,11 +19319,11 @@ -

changes to the current system baseline are implemented using ;

+

changes to the current system baseline are implemented using ;

 -

the updated baseline is deployed across the installed base using .

+

the updated baseline is deployed across the installed base using .

 @@ -20470,60 +19366,52 @@ Security and Privacy Representatives - - + + - -

security representatives required to be members of the change control element are defined;

- + +

security representatives required to be members of the change control element are defined;

+ - -

privacy representatives required to be members of the change control element are defined;

- + +

privacy representatives required to be members of the change control element are defined;

+ - -

the configuration change control element of which the security and privacy representatives are to be members is defined;

- + +

the configuration change control element of which the security and privacy representatives are to be members is defined;

+ - + -

Require to be members of the .

+

Require to be members of the .

 -

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in CM-3g.

+

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in CM-3g.

 -

- are required to be members of the ;

+

are required to be members of the ;

 -

- are required to be members of the .

+

are required to be members of the .

 @@ -20561,27 +19449,24 @@ - -

security responses to be automatically implemented are defined;

- + +

security responses to be automatically implemented are defined;

+ - + -

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: .

+

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: .

Automated security responses include halting selected system functions, halting system processing, and issuing alerts or notifications to organizational personnel when there is an unauthorized modification of a configuration item.

 -

- are automatically implemented if baseline configurations are changed in an unauthorized manner.

+

are automatically implemented if baseline configurations are changed in an unauthorized manner.

 @@ -20625,27 +19510,25 @@ - -

controls provided by cryptographic mechanisms that are to be under configuration management are defined;

- + +

controls provided by cryptographic mechanisms that are to be under configuration management are defined;

+ - + -

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: .

+

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: .

The controls referenced in the control enhancement refer to security and privacy controls from the control catalog. Regardless of the cryptographic mechanisms employed, processes and procedures are in place to manage those mechanisms. For example, if system components use certificates for identification and authentication, a process is implemented to address the expiration of those certificates.

 -

cryptographic mechanisms used to provide are under configuration management.

+

cryptographic mechanisms used to provide are under configuration management.

 @@ -20687,37 +19570,35 @@ - -

the frequency at which changes are to be reviewed is defined;

- + +

the frequency at which changes are to be reviewed is defined;

+ - -

the circumstances under which changes are to be reviewed are defined;

- + +

the circumstances under which changes are to be reviewed are defined;

+ - + -

Review changes to the system or when to determine whether unauthorized changes have occurred.

+

Review changes to the system or when to determine whether unauthorized changes have occurred.

Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process.

 -

changes to the system are reviewed or when to determine whether unauthorized changes have occurred.

+

changes to the system are reviewed or when to determine whether unauthorized changes have occurred.

 @@ -20760,26 +19641,24 @@ - -

the circumstances under which changes are to be prevented or restricted are defined;

- + +

the circumstances under which changes are to be prevented or restricted are defined;

+ - + -

Prevent or restrict changes to the configuration of the system under the following circumstances: .

+

Prevent or restrict changes to the configuration of the system under the following circumstances: .

System configuration changes can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms.

 -

changes to the configuration of the system are prevented or restricted under .

+

changes to the configuration of the system are prevented or restricted under .

 @@ -20804,12 +19683,8 @@ - - + + @@ -20885,12 +19760,8 @@ - - + + @@ -20986,12 +19857,8 @@ - - + + @@ -21075,9 +19942,7 @@ - + @@ -21094,7 +19959,7 @@

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

 -

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

+

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

 @@ -21166,16 +20031,14 @@ - -

mechanisms used to automate the enforcement of access restrictions are defined;

- + +

mechanisms used to automate the enforcement of access restrictions are defined;

+ - + @@ -21187,7 +20050,7 @@ -

Enforce access restrictions using ; and

+

Enforce access restrictions using ; and

 @@ -21201,7 +20064,7 @@ -

access restrictions for change are enforced using ;

+

access restrictions for change are enforced using ;

 @@ -21262,43 +20125,35 @@ Dual Authorization - - + + - -

system components requiring dual authorization for changes are defined;

- + +

system components requiring dual authorization for changes are defined;

+ - -

system-level information requiring dual authorization for changes is defined;

- + +

system-level information requiring dual authorization for changes is defined;

+ - - + + -

Enforce dual authorization for implementing changes to .

+

Enforce dual authorization for implementing changes to .

Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures.

@@ -21307,11 +20162,11 @@ -

dual authorization for implementing changes to is enforced;

+

dual authorization for implementing changes to is enforced;

 -

dual authorization for implementing changes to is enforced.

+

dual authorization for implementing changes to is enforced.

 @@ -21353,34 +20208,28 @@ Privilege Limitation for Production and Operation - - + + - -

frequency at which to review privileges is defined;

- + +

frequency at which to review privileges is defined;

+ - -

frequency at which to reevaluate privileges is defined;

- + +

frequency at which to reevaluate privileges is defined;

+ - + @@ -21390,7 +20239,7 @@ -

Review and reevaluate privileges .

+

Review and reevaluate privileges .

 @@ -21413,11 +20262,11 @@ -

privileges are reviewed ;

+

privileges are reviewed ;

 -

privileges are reevaluated .

+

privileges are reevaluated .

 @@ -21462,12 +20311,8 @@ - - + + @@ -21529,35 +20374,31 @@ - -

common secure configurations to establish and document configuration settings for components employed within the system are defined;

- + +

common secure configurations to establish and document configuration settings for components employed within the system are defined;

+ - -

system components for which approval of deviations is needed are defined;

- + +

system components for which approval of deviations is needed are defined;

+ - -

operational requirements necessitating approval of deviations are defined;

- + +

operational requirements necessitating approval of deviations are defined;

+ - - + + @@ -21595,7 +20436,7 @@ -

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ;

+

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ;

 @@ -21603,7 +20444,7 @@ -

Identify, document, and approve any deviations from established configuration settings for based on ; and

+

Identify, document, and approve any deviations from established configuration settings for based on ; and

 @@ -21613,13 +20454,13 @@

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

-

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

+

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

 -

configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ;

+

configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using ;

 @@ -21629,11 +20470,11 @@ -

any deviations from established configuration settings for are identified and documented based on ;

+

any deviations from established configuration settings for are identified and documented based on ;

 -

any deviations from established configuration settings for are approved;

+

any deviations from established configuration settings for are approved;

 @@ -21690,56 +20531,48 @@ Automated Management, Application, and Verification - - - + + + - -

system components for which to manage, apply, and verify configuration settings are defined;

- + +

system components for which to manage, apply, and verify configuration settings are defined;

+ - -

automated mechanisms to manage configuration settings are defined;

- + +

automated mechanisms to manage configuration settings are defined;

+ - -

automated mechanisms to apply configuration settings are defined;

- + +

automated mechanisms to apply configuration settings are defined;

+ - -

automated mechanisms to verify configuration settings are defined;

- + +

automated mechanisms to verify configuration settings are defined;

+ - + -

Manage, apply, and verify configuration settings for using .

+

Manage, apply, and verify configuration settings for using .

Automated tools (e.g., hardening tools, baseline configuration tools) can improve the accuracy, consistency, and availability of configuration settings information. Automation can also provide data aggregation and data correlation capabilities, alerting mechanisms, and dashboards to support risk-based decision-making within the organization.

@@ -21748,15 +20581,15 @@ -

configuration settings for are managed using ;

+

configuration settings for are managed using ;

 -

configuration settings for are applied using ;

+

configuration settings for are applied using ;

 -

configuration settings for are verified using .

+

configuration settings for are verified using .

 @@ -21802,38 +20635,35 @@ - -

actions to be taken upon an unauthorized change are defined;

- + +

actions to be taken upon an unauthorized change are defined;

+ - -

configuration settings requiring action upon an unauthorized change are defined;

- + +

configuration settings requiring action upon an unauthorized change are defined;

+ - + -

Take the following actions in response to unauthorized changes to : .

+

Take the following actions in response to unauthorized changes to : .

Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing.

 -

- are taken in response to unauthorized changes to .

+

are taken in response to unauthorized changes to .

 @@ -21892,78 +20722,62 @@ Least Functionality - - - - - + + + + + - + - -

mission-essential capabilities for the system are defined;

- + +

mission-essential capabilities for the system are defined;

+ - -

functions to be prohibited or restricted are defined;

- + +

functions to be prohibited or restricted are defined;

+ - -

ports to be prohibited or restricted are defined;

- + +

ports to be prohibited or restricted are defined;

+ - -

protocols to be prohibited or restricted are defined;

- + +

protocols to be prohibited or restricted are defined;

+ - -

software to be prohibited or restricted is defined;

- + +

software to be prohibited or restricted is defined;

+ - -

services to be prohibited or restricted are defined;

- + +

services to be prohibited or restricted are defined;

+ - - + + @@ -21989,43 +20803,43 @@ -

Configure the system to provide only ; and

+

Configure the system to provide only ; and

 -

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

+

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: .

 -

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

+

Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).

 -

the system is configured to provide only ;

+

the system is configured to provide only ;

 -

the use of is prohibited or restricted;

+

the use of is prohibited or restricted;

 -

the use of is prohibited or restricted;

+

the use of is prohibited or restricted;

 -

the use of is prohibited or restricted;

+

the use of is prohibited or restricted;

 -

the use of is prohibited or restricted;

+

the use of is prohibited or restricted;

 -

the use of is prohibited or restricted.

+

the use of is prohibited or restricted.

 @@ -22065,85 +20879,71 @@ Periodic Review - - - - - + + + + + - -

the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;

- + +

the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, software, and/or services is defined;

+ - -

functions to be disabled or removed when deemed unnecessary or non-secure are defined;

- + +

functions to be disabled or removed when deemed unnecessary or non-secure are defined;

+ - -

ports to be disabled or removed when deemed unnecessary or non-secure are defined;

- + +

ports to be disabled or removed when deemed unnecessary or non-secure are defined;

+ - -

protocols to be disabled or removed when deemed unnecessary or non-secure are defined;

- + +

protocols to be disabled or removed when deemed unnecessary or non-secure are defined;

+ - -

software to be disabled or removed when deemed unnecessary or non-secure is defined;

- + +

software to be disabled or removed when deemed unnecessary or non-secure is defined;

+ - -

services to be disabled or removed when deemed unnecessary or non-secure are defined;

- + +

services to be disabled or removed when deemed unnecessary or non-secure are defined;

+ - - + + -

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

+

Review the system to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

 -

Disable or remove .

+

Disable or remove .

 @@ -22153,34 +20953,29 @@ -

the system is reviewed to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:

+

the system is reviewed to identify unnecessary and/or non-secure functions, ports, protocols, software, and services:

 -

- deemed to be unnecessary and/or non-secure are disabled or removed;

+

deemed to be unnecessary and/or non-secure are disabled or removed;

 -

- deemed to be unnecessary and/or non-secure are disabled or removed;

+

deemed to be unnecessary and/or non-secure are disabled or removed;

 -

- deemed to be unnecessary and/or non-secure are disabled or removed;

+

deemed to be unnecessary and/or non-secure are disabled or removed;

 -

- deemed to be unnecessary and/or non-secure is disabled or removed;

+

deemed to be unnecessary and/or non-secure is disabled or removed;

 -

- deemed to be unnecessary and/or non-secure are disabled or removed.

+

deemed to be unnecessary and/or non-secure are disabled or removed.

 @@ -22226,9 +21021,7 @@ @@ -22236,16 +21029,14 @@ - -

policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);

- + +

policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (if selected);

+ - + @@ -22253,14 +21044,14 @@ -

Prevent program execution in accordance with .

+

Prevent program execution in accordance with .

Prevention of program execution addresses organizational policies, rules of behavior, and/or access agreements that restrict software usage and the terms and conditions imposed by the developer or manufacturer, including software licensing and copyrights. Restrictions include prohibiting auto-execute features, restricting roles allowed to approve program execution, permitting or prohibiting specific software programs, or restricting the number of program instances executed at the same time.

 -

program execution is prevented in accordance with .

+

program execution is prevented in accordance with .

 @@ -22304,32 +21095,27 @@ Registration Compliance - + - -

registration requirements for functions, ports, protocols, and services are defined;

- + +

registration requirements for functions, ports, protocols, and services are defined;

+ - + -

Ensure compliance with .

+

Ensure compliance with .

Organizations use the registration process to manage, track, and provide oversight for systems and implemented functions, ports, protocols, and services.

 -

- are complied with.

+

are complied with.

 @@ -22368,32 +21154,26 @@ Unauthorized Software — Deny-by-exception - + - -

software programs not authorized to execute on the system are defined;

- + +

software programs not authorized to execute on the system are defined;

+ - -

frequency at which to review and update the list of unauthorized software programs is defined;

- + +

frequency at which to review and update the list of unauthorized software programs is defined;

+ - - + + @@ -22403,7 +21183,7 @@ -

Identify ;

+

Identify ;

 @@ -22411,7 +21191,7 @@ -

Review and update the list of unauthorized software programs .

+

Review and update the list of unauthorized software programs .

 @@ -22421,8 +21201,7 @@ -

- are identified;

+

are identified;

 @@ -22430,7 +21209,7 @@ -

the list of unauthorized software programs is reviewed and updated .

+

the list of unauthorized software programs is reviewed and updated .

 @@ -22475,32 +21254,26 @@ Authorized Software — Allow-by-exception - + - -

software programs authorized to execute on the system are defined;

- + +

software programs authorized to execute on the system are defined;

+ - -

frequency at which to review and update the list of authorized software programs is defined;

- + +

frequency at which to review and update the list of authorized software programs is defined;

+ - - + + @@ -22514,7 +21287,7 @@ -

Identify ;

+

Identify ;

 @@ -22522,18 +21295,17 @@ -

Review and update the list of authorized software programs .

+

Review and update the list of authorized software programs .

 -

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

+

Authorized software programs can be limited to specific versions or from a specific source. To facilitate a comprehensive authorized software process and increase the strength of protection for attacks that bypass application level authorized software, software programs may be decomposed into and monitored at different levels of detail. These levels include applications, application programming interfaces, application modules, scripts, system processes, system services, kernel functions, registries, drivers, and dynamic link libraries. The concept of permitting the execution of authorized software may also be applied to user actions, system ports and protocols, IP addresses/ranges, websites, and MAC addresses. Organizations consider verifying the integrity of authorized software programs using digital signatures, cryptographic checksums, or hash functions. Verification of authorized software can occur either prior to execution or at system startup. The identification of authorized URLs for websites is addressed in CA-3(5) and SC-7.

 -

- are identified;

+

are identified;

 @@ -22541,7 +21313,7 @@ -

the list of authorized software programs is reviewed and updated .

+

the list of authorized software programs is reviewed and updated .

 @@ -22588,32 +21360,27 @@ - -

user-installed software required to be executed in a confined environment is defined;

- + +

user-installed software required to be executed in a confined environment is defined;

+ - - + + -

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: .

+

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: .

Organizations identify software that may be of concern regarding its origin or potential for containing malicious code. For this type of software, user installations occur in confined environments of operation to limit or contain damage from malicious code that may be executed.

 -

- is required to be executed in a confined physical or virtual machine environment with limited privileges.

+

is required to be executed in a confined physical or virtual machine environment with limited privileges.

 @@ -22657,27 +21424,21 @@ - -

personnel or roles to explicitly approve execution of binary or machine-executable code is/are defined;

- + +

personnel or roles to explicitly approve execution of binary or machine-executable code is/are defined;

+ - - - + + + -

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of when such code is:

+

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of when such code is:

Obtained from sources with limited or no warranty; and/or

@@ -22695,11 +21456,11 @@

the execution of binary or machine-executable code is only allowed in confined physical or virtual machine environments;

-

the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of ;

+

the execution of binary or machine-executable code obtained from sources with limited or no warranty is only allowed with the explicit approval of ;

 -

the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of .

+

the execution of binary or machine-executable code without the provision of source code is only allowed with the explicit approval of .

 @@ -22745,15 +21506,9 @@ - - - + + + @@ -22830,40 +21585,32 @@ Prohibiting The Use of Unauthorized Hardware - + - -

hardware components authorized for system use are defined;

- + +

hardware components authorized for system use are defined;

+ - -

frequency at which to review and update the list of authorized hardware components is defined;

- + +

frequency at which to review and update the list of authorized hardware components is defined;

+ - - - + + + -

Identify ;

+

Identify ;

 @@ -22871,7 +21618,7 @@ -

Review and update the list of authorized hardware components .

+

Review and update the list of authorized hardware components .

 @@ -22881,8 +21628,7 @@ -

- are identified;

+

are identified;

 @@ -22890,7 +21636,7 @@ -

the list of authorized hardware components is reviewed and updated .

+

the list of authorized hardware components is reviewed and updated .

 @@ -22931,32 +21677,26 @@ System Component Inventory - + - -

information deemed necessary to achieve effective system component accountability is defined;

- + +

information deemed necessary to achieve effective system component accountability is defined;

+ - -

frequency at which to review and update the system component inventory is defined;

- + +

frequency at which to review and update the system component inventory is defined;

+ - - + + @@ -23003,17 +21743,17 @@ -

Includes the following information to achieve system component accountability: ; and

+

Includes the following information to achieve system component accountability: ; and

 -

Review and update the system component inventory .

+

Review and update the system component inventory .

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

-

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

+

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

 @@ -23037,12 +21777,12 @@ -

an inventory of system components that includes is developed and documented;

+

an inventory of system components that includes is developed and documented;

 -

the system component inventory is reviewed and updated .

+

the system component inventory is reviewed and updated .

 @@ -23082,12 +21822,8 @@ - - + + @@ -23149,85 +21885,69 @@ Automated Maintenance - - - - + + + + - -

automated mechanisms used to maintain the currency of the system component inventory are defined;

- + +

automated mechanisms used to maintain the currency of the system component inventory are defined;

+ - -

automated mechanisms used to maintain the completeness of the system component inventory are defined;

- + +

automated mechanisms used to maintain the completeness of the system component inventory are defined;

+ - -

automated mechanisms used to maintain the accuracy of the system component inventory are defined;

- + +

automated mechanisms used to maintain the accuracy of the system component inventory are defined;

+ - -

automated mechanisms used to maintain the availability of the system component inventory are defined;

- + +

automated mechanisms used to maintain the availability of the system component inventory are defined;

+ - - + + -

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using .

+

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using .

 -

Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.

+

Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.

 -

- are used to maintain the currency of the system component inventory;

+

are used to maintain the currency of the system component inventory;

 -

- are used to maintain the completeness of the system component inventory;

+

are used to maintain the completeness of the system component inventory;

 -

- are used to maintain the accuracy of the system component inventory;

+

are used to maintain the accuracy of the system component inventory;

 -

- are used to maintain the availability of the system component inventory.

+

are used to maintain the availability of the system component inventory.

 @@ -23269,45 +21989,39 @@ Automated Unauthorized Component Detection - - - + + + - -

automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;

- + +

automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;

+ - -

automated mechanisms used to detect the presence of unauthorized software within the system are defined;

- + +

automated mechanisms used to detect the presence of unauthorized software within the system are defined;

+ - -

automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;

- + +

automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;

+ - -

frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;

- + +

frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the system is defined;

+ @@ -23315,27 +22029,22 @@ - -

personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);

- + +

personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);

+ - - + + @@ -23349,17 +22058,15 @@ -

Detect the presence of unauthorized hardware, software, and firmware components within the system using - ; and

+

Detect the presence of unauthorized hardware, software, and firmware components within the system using ; and

 -

Take the following actions when unauthorized components are detected: .

+

Take the following actions when unauthorized components are detected: .

 -

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see CM-7(9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing. -

+

Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see CM-7(9) ). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as sandboxing.

@@ -23367,36 +22074,30 @@ -

the presence of unauthorized hardware within the system is detected using - ;

+

the presence of unauthorized hardware within the system is detected using ;

 -

the presence of unauthorized software within the system is detected using - ;

+

the presence of unauthorized software within the system is detected using ;

 -

the presence of unauthorized firmware within the system is detected using - ;

+

the presence of unauthorized firmware within the system is detected using ;

 -

- are taken when unauthorized hardware is detected;

+

are taken when unauthorized hardware is detected;

 -

- are taken when unauthorized software is detected;

+

are taken when unauthorized software is detected;

 -

- are taken when unauthorized firmware is detected.

+

are taken when unauthorized firmware is detected.

 @@ -23455,23 +22156,19 @@ - - + + -

Include in the system component inventory information, a means for identifying by , individuals responsible and accountable for administering those components.

+

Include in the system component inventory information, a means for identifying by , individuals responsible and accountable for administering those components.

Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated).

 -

individuals responsible and accountable for administering system components are identified by in the system component inventory.

+

individuals responsible and accountable for administering system components are identified by in the system component inventory.

 @@ -23517,12 +22214,8 @@ - - + +

Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

@@ -23581,12 +22274,8 @@ - - + +

Provide a centralized repository for the inventory of system components.

@@ -23638,30 +22327,25 @@ - -

automated mechanisms for tracking components are defined;

- + +

automated mechanisms for tracking components are defined;

+ - - + + -

Support the tracking of system components by geographic location using .

+

Support the tracking of system components by geographic location using .

The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. The use of tracking mechanisms can be coordinated with senior agency officials for privacy if there are implications that affect individual privacy.

 -

- are used to support the tracking of system components by geographic location.

+

are used to support the tracking of system components by geographic location.

 @@ -23705,19 +22389,15 @@ - -

personnel or roles from which to receive an acknowledgement is/are defined;

- + +

personnel or roles from which to receive an acknowledgement is/are defined;

+ - - + + @@ -23726,7 +22406,7 @@ -

Receive an acknowledgement from of this assignment.

+

Receive an acknowledgement from of this assignment.

 @@ -23740,7 +22420,7 @@ -

an acknowledgement of the component assignment is received from .

+

an acknowledgement of the component assignment is received from .

 @@ -23787,16 +22467,14 @@ - -

personnel or roles to review and approve the configuration management plan is/are defined;

- + +

personnel or roles to review and approve the configuration management plan is/are defined;

+ - + @@ -23823,7 +22501,7 @@ -

Is reviewed and approved by ; and

+

Is reviewed and approved by ; and

 @@ -23884,7 +22562,7 @@ -

the configuration management plan is reviewed and approved by ;

+

the configuration management plan is reviewed and approved by ;

 @@ -23939,9 +22617,7 @@ - +

Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

@@ -23980,9 +22656,7 @@ - + @@ -24063,28 +22737,25 @@ - -

restrictions on the use of open-source software are defined;

- + +

restrictions on the use of open-source software are defined;

+ - + -

Establish the following restrictions on the use of open-source software: .

+

Establish the following restrictions on the use of open-source software: .

 -

Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software.

+

Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software.

 -

- are established for the use of open-source software.

+

are established for the use of open-source software.

 @@ -24130,32 +22801,30 @@ - -

policies governing the installation of software by users are defined;

- + +

policies governing the installation of software by users are defined;

+ - -

methods used to enforce software installation policies are defined;

- + +

methods used to enforce software installation policies are defined;

+ - -

frequency with which to monitor compliance is defined;

- + +

frequency with which to monitor compliance is defined;

+ - + @@ -24170,34 +22839,33 @@ -

Establish governing the installation of software by users;

+

Establish governing the installation of software by users;

 -

Enforce software installation policies through the following methods: ; and

+

Enforce software installation policies through the following methods: ; and

 -

Monitor policy compliance .

+

Monitor policy compliance .

 -

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

+

If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved app stores. Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.

 -

- governing the installation of software by users are established;

+

governing the installation of software by users are established;

 -

software installation policies are enforced through ;

+

software installation policies are enforced through ;

 -

compliance with is monitored .

+

compliance with is monitored .

 @@ -24251,9 +22919,7 @@ - + @@ -24306,40 +22972,32 @@ Automated Enforcement and Monitoring - - + + - -

automated mechanisms used to enforce compliance are defined;

- + +

automated mechanisms used to enforce compliance are defined;

+ - -

automated mechanisms used to monitor compliance are defined;

- + +

automated mechanisms used to monitor compliance are defined;

+ - - + + -

Enforce and monitor compliance with software installation policies using .

+

Enforce and monitor compliance with software installation policies using .

Organizations enforce and monitor compliance with software installation policies using automated mechanisms to more quickly detect and respond to unauthorized software installation which can be an indicator of an internal or external hostile attack.

@@ -24348,11 +23006,11 @@ -

compliance with software installation policies is enforced using ;

+

compliance with software installation policies is enforced using ;

 -

compliance with software installation policies is monitored using .

+

compliance with software installation policies is monitored using .

 @@ -24401,19 +23059,15 @@ - -

information for which the location is to be identified and documented is defined;

- + +

information for which the location is to be identified and documented is defined;

+ - - + + @@ -24436,7 +23090,7 @@ -

Identify and document the location of and the specific system components on which the information is processed and stored;

+

Identify and document the location of and the specific system components on which the information is processed and stored;

 @@ -24448,7 +23102,7 @@ -

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199 ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

+

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199 ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

 @@ -24456,37 +23110,37 @@ -

the location of is identified and documented;

+

the location of is identified and documented;

 -

the specific system components on which is processed are identified and documented;

+

the specific system components on which is processed are identified and documented;

 -

the specific system components on which is stored are identified and documented;

+

the specific system components on which is stored are identified and documented;

 -

the users who have access to the system and system components where is processed are identified and documented;

+

the users who have access to the system and system components where is processed are identified and documented;

 -

the users who have access to the system and system components where is stored are identified and documented;

+

the users who have access to the system and system components where is stored are identified and documented;

 -

changes to the location (i.e., system or system components) where is processed are documented;

+

changes to the location (i.e., system or system components) where is processed are documented;

 -

changes to the location (i.e., system or system components) where is stored are documented.

+

changes to the location (i.e., system or system components) where is stored are documented.

 @@ -24535,37 +23189,33 @@ - -

information to be protected is defined by information type;

- + +

information to be protected is defined by information type;

+ - -

system components where the information is located are defined;

- + +

system components where the information is located are defined;

+ - - + + -

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

+

Use automated tools to identify on to ensure controls are in place to protect organizational information and individual privacy.

The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

 -

automated tools are used to identify on to ensure that controls are in place to protect organizational information and individual privacy.

+

automated tools are used to identify on to ensure that controls are in place to protect organizational information and individual privacy.

 @@ -24610,9 +23260,7 @@ - + @@ -24673,47 +23321,37 @@ Signed Components - - + + - -

software components requiring verification of a digitally signed certificate before installation are defined;

- + +

software components requiring verification of a digitally signed certificate before installation are defined;

+ - -

firmware components requiring verification of a digitally signed certificate before installation are defined;

- + +

firmware components requiring verification of a digitally signed certificate before installation are defined;

+ - - - + + + -

Prevent the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

+

Prevent the installation of without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Software and firmware components prevented from installation unless signed with recognized and approved certificates include software and firmware version updates, patches, service packs, device drivers, and basic input/output system updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures is a method of code authentication.

@@ -24722,11 +23360,11 @@ -

the installation of is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;

+

the installation of is prevented unless it is verified that the software has been digitally signed using a certificate recognized and approved by the organization;

 -

the installation of is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.

+

the installation of is prevented unless it is verified that the firmware has been digitally signed using a certificate recognized and approved by the organization.

 @@ -24771,27 +23409,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the contingency planning policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the contingency planning procedures are to be disseminated is/are defined;

+ @@ -24806,51 +23440,47 @@ - -

an official to manage the contingency planning policy and procedures is defined;

- + +

an official to manage the contingency planning policy and procedures is defined;

+ - -

the frequency at which the current contingency planning policy is reviewed and updated is defined;

- + +

the frequency at which the current contingency planning policy is reviewed and updated is defined;

+ - -

events that would require the current contingency planning policy to be reviewed and updated are defined;

- + +

events that would require the current contingency planning policy to be reviewed and updated are defined;

+ - -

the frequency at which the current contingency planning procedures are reviewed and updated is defined;

- + +

the frequency at which the current contingency planning procedures are reviewed and updated is defined;

+ - -

events that would require procedures to be reviewed and updated are defined;

- + +

events that would require procedures to be reviewed and updated are defined;

+ - - + + @@ -24863,11 +23493,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- contingency planning policy that:

+

contingency planning policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -24884,18 +23513,18 @@ -

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and

Review and update the current contingency planning:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -24912,7 +23541,7 @@ -

the contingency planning policy is disseminated to ;

+

the contingency planning policy is disseminated to ;

 @@ -24920,7 +23549,7 @@ -

the contingency planning procedures are disseminated to ;

+

the contingency planning procedures are disseminated to ;

 @@ -24928,42 +23557,42 @@ -

the contingency planning policy addresses purpose;

+

the contingency planning policy addresses purpose;

 -

the contingency planning policy addresses scope;

+

the contingency planning policy addresses scope;

 -

the contingency planning policy addresses roles;

+

the contingency planning policy addresses roles;

 -

the contingency planning policy addresses responsibilities;

+

the contingency planning policy addresses responsibilities;

 -

the contingency planning policy addresses management commitment;

+

the contingency planning policy addresses management commitment;

 -

the contingency planning policy addresses coordination among organizational entities;

+

the contingency planning policy addresses coordination among organizational entities;

 -

the contingency planning policy addresses compliance;

+

the contingency planning policy addresses compliance;

 -

the contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the contingency planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the contingency planning policy and procedures;

 @@ -24971,22 +23600,22 @@ -

the current contingency planning policy is reviewed and updated ;

+

the current contingency planning policy is reviewed and updated ;

 -

the current contingency planning policy is reviewed and updated following ;

+

the current contingency planning policy is reviewed and updated following ;

 -

the current contingency planning procedures are reviewed and updated ;

+

the current contingency planning procedures are reviewed and updated ;

 -

the current contingency planning procedures are reviewed and updated following .

+

the current contingency planning procedures are reviewed and updated following .

 @@ -25013,88 +23642,74 @@ Contingency Plan - - + + - - + + - - + + - -

personnel or roles to review a contingency plan is/are defined;

- + +

personnel or roles to review a contingency plan is/are defined;

+ - -

personnel or roles to approve a contingency plan is/are defined;

- + +

personnel or roles to approve a contingency plan is/are defined;

+ - -

key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;

- + +

key contingency personnel (identified by name and/or by role) to whom copies of the contingency plan are distributed are defined;

+ - -

key contingency organizational elements to which copies of the contingency plan are distributed are defined;

- + +

key contingency organizational elements to which copies of the contingency plan are distributed are defined;

+ - -

frequency of contingency plan review is defined;

- + +

frequency of contingency plan review is defined;

+ - -

key contingency personnel (identified by name and/or by role) to communicate changes to are defined;

- + +

key contingency personnel (identified by name and/or by role) to communicate changes to are defined;

+ - -

key contingency organizational elements to communicate changes to are defined;

- + +

key contingency organizational elements to communicate changes to are defined;

+ - + @@ -25152,12 +23767,12 @@ -

Is reviewed and approved by ;

+

Is reviewed and approved by ;

 -

Distribute copies of the contingency plan to ;

+

Distribute copies of the contingency plan to ;

 @@ -25165,7 +23780,7 @@ -

Review the contingency plan for the system ;

+

Review the contingency plan for the system ;

 @@ -25173,7 +23788,7 @@ -

Communicate contingency plan changes to ;

+

Communicate contingency plan changes to ;

 @@ -25186,7 +23801,7 @@

Contingency planning for systems is part of an overall program for achieving continuity of operations for organizational mission and business functions. Contingency planning addresses system restoration and implementation of alternative mission or business processes when systems are compromised or breached. Contingency planning is considered throughout the system development life cycle and is a fundamental part of the system design. Systems can be designed for redundancy, to provide backup capabilities, and for resilience. Contingency plans reflect the degree of restoration required for organizational systems since not all systems need to fully recover to achieve the level of continuity of operations desired. System recovery objectives reflect applicable laws, executive orders, directives, regulations, policies, standards, guidelines, organizational risk tolerance, and system impact level.

-

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

+

Actions addressed in contingency plans include orderly system degradation, system shutdown, fallback to a manual mode, alternate information flows, and operating in modes reserved for when systems are under attack. By coordinating contingency planning with incident handling activities, organizations ensure that the necessary planning activities are in place and activated in the event of an incident. Organizations consider whether continuity of operations during an incident conflicts with the capability to automatically disable the system, as specified in IR-4(5) . Incident response planning is part of contingency planning for organizations and is addressed in the IR (Incident Response) family.

 @@ -25242,11 +23857,11 @@ -

a contingency plan for the system is developed that is reviewed by ;

+

a contingency plan for the system is developed that is reviewed by ;

 -

a contingency plan for the system is developed that is approved by ;

+

a contingency plan for the system is developed that is approved by ;

 @@ -25254,11 +23869,11 @@ -

copies of the contingency plan are distributed to ;

+

copies of the contingency plan are distributed to ;

 -

copies of the contingency plan are distributed to ;

+

copies of the contingency plan are distributed to ;

 @@ -25267,7 +23882,7 @@ -

the contingency plan for the system is reviewed ;

+

the contingency plan for the system is reviewed ;

 @@ -25284,11 +23899,11 @@ -

contingency plan changes are communicated to ;

+

contingency plan changes are communicated to ;

 -

contingency plan changes are communicated to ;

+

contingency plan changes are communicated to ;

 @@ -25349,9 +23964,7 @@ - +

Coordinate contingency plan development with organizational elements responsible for related plans.

@@ -25397,9 +24010,7 @@ - + @@ -25464,26 +24075,24 @@ - -

the contingency plan activation time period within which to resume mission and business functions is defined;

- + +

the contingency plan activation time period within which to resume mission and business functions is defined;

+ - + -

Plan for the resumption of mission and business functions within of contingency plan activation.

+

Plan for the resumption of mission and business functions within of contingency plan activation.

Organizations may choose to conduct contingency planning activities to resume mission and business functions as part of business continuity planning or as part of business impact analyses. Organizations prioritize the resumption of mission and business functions. The time period for resuming mission and business functions may be dependent on the severity and extent of the disruptions to the system and its supporting infrastructure.

 -

the resumption of mission and business functions are planned for within of contingency plan activation.

+

the resumption of mission and business functions are planned for within of contingency plan activation.

 @@ -25538,12 +24147,10 @@ - + -

Plan for the continuance of mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

+

Plan for the continuance of mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

Organizations may choose to conduct the contingency planning activities to continue mission and business functions as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.

@@ -25552,7 +24159,7 @@ -

the continuance of mission and business functions with minimal or no loss of operational continuity is planned for;

+

the continuance of mission and business functions with minimal or no loss of operational continuity is planned for;

 @@ -25607,12 +24214,10 @@ - + -

Plan for the transfer of mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.

+

Plan for the transfer of mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.

Organizations may choose to conduct contingency planning activities for alternate processing and storage sites as part of business continuity planning or business impact analyses. Primary processing and/or storage sites defined by organizations as part of contingency planning may change depending on the circumstances associated with the contingency.

@@ -25621,7 +24226,7 @@ -

the transfer of mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;

+

the transfer of mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity is planned for;

 @@ -25666,9 +24271,7 @@ - + @@ -25719,21 +24322,19 @@ - + -

Identify critical system assets supporting mission and business functions.

+

Identify critical system assets supporting mission and business functions.

 -

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

+

Organizations may choose to identify critical assets as part of criticality analysis, business continuity planning, or business impact analyses. Organizations identify critical system assets so that additional controls can be employed (beyond the controls routinely implemented) to help ensure that organizational mission and business functions can continue to be conducted during contingency operations. The identification of critical information assets also facilitates the prioritization of organizational resources. Critical system assets include technical and operational aspects. Technical aspects include system components, information technology services, information technology products, and mechanisms. Operational aspects include procedures (i.e., manually executed operations) and personnel (i.e., individuals operating technical controls and/or executing manual procedures). Organizational program protection plans can assist in identifying critical assets. If critical assets are resident within or supported by external service providers, organizations consider implementing CP-2(7) as a control enhancement.

 -

critical system assets supporting mission and business functions are identified.

+

critical system assets supporting mission and business functions are identified.

 @@ -25764,43 +24365,39 @@ - -

the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;

- + +

the time period within which to provide contingency training after assuming a contingency role or responsibility is defined;

+ - -

frequency at which to provide training to system users with a contingency role or responsibility is defined;

- + +

frequency at which to provide training to system users with a contingency role or responsibility is defined;

+ - -

frequency at which to review and update contingency training content is defined;

- + +

frequency at which to review and update contingency training content is defined;

+ - -

events necessitating review and update of contingency training are defined;

- + +

events necessitating review and update of contingency training are defined;

+ - - + + @@ -25817,7 +24414,7 @@

Provide contingency training to system users consistent with assigned roles and responsibilities:

-

Within of assuming a contingency role or responsibility;

+

Within of assuming a contingency role or responsibility;

 @@ -25825,13 +24422,12 @@ -

- thereafter; and

+

thereafter; and

 -

Review and update contingency training content and following .

+

Review and update contingency training content and following .

 @@ -25843,7 +24439,7 @@ -

contingency training is provided to system users consistent with assigned roles and responsibilities within of assuming a contingency role or responsibility;

+

contingency training is provided to system users consistent with assigned roles and responsibilities within of assuming a contingency role or responsibility;

 @@ -25851,18 +24447,18 @@ -

contingency training is provided to system users consistent with assigned roles and responsibilities thereafter;

+

contingency training is provided to system users consistent with assigned roles and responsibilities thereafter;

 -

the contingency plan training content is reviewed and updated ;

+

the contingency plan training content is reviewed and updated ;

 -

the contingency plan training content is reviewed and updated following .

+

the contingency plan training content is reviewed and updated following .

 @@ -25900,12 +24496,8 @@ - - + +

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

@@ -25952,12 +24544,8 @@ - - + +

Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.

@@ -26003,45 +24591,37 @@ Contingency Plan Testing - - + + - -

frequency of testing the contingency plan for the system is defined;

- + +

frequency of testing the contingency plan for the system is defined;

+ - -

tests for determining the effectiveness of the contingency plan are defined;

- + +

tests for determining the effectiveness of the contingency plan are defined;

+ - -

tests for determining readiness to execute the contingency plan are defined;

- + +

tests for determining readiness to execute the contingency plan are defined;

+ - - + + @@ -26059,7 +24639,7 @@ -

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

+

Test the contingency plan for the system using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: .

 @@ -26079,17 +24659,15 @@ -

the contingency plan for the system is tested ;

+

the contingency plan for the system is tested ;

 -

- are used to determine the effectiveness of the plan;

+

are used to determine the effectiveness of the plan;

 -

- are used to determine the readiness to execute the plan;

+

are used to determine the readiness to execute the plan;

 @@ -26135,12 +24713,8 @@ - - + + @@ -26189,12 +24763,8 @@ - - + + @@ -26260,29 +24830,25 @@ - -

automated mechanisms for contingency plan testing are defined;

- + +

automated mechanisms for contingency plan testing are defined;

+ - - + + -

Test the contingency plan using .

+

Test the contingency plan using .

Automated mechanisms facilitate thorough and effective testing of contingency plans by providing more complete coverage of contingency issues, selecting more realistic test scenarios and environments, and effectively stressing the system and supported mission and business functions.

 -

the contingency plan is tested using .

+

the contingency plan is tested using .

 @@ -26320,12 +24886,8 @@ - - + + @@ -26384,41 +24946,34 @@ - -

mechanisms employed to disrupt and adversely affect the system or system component are defined;

- + +

mechanisms employed to disrupt and adversely affect the system or system component are defined;

+ - -

system or system component on which to apply disruption mechanisms are defined;

- + +

system or system component on which to apply disruption mechanisms are defined;

+ - - - + + + -

Employ to to disrupt and adversely affect the system or system component.

+

Employ to to disrupt and adversely affect the system or system component.

Often, the best method of assessing system resilience is to disrupt the system in some manner. The mechanisms used by the organization could disrupt system functions or system services in many ways, including terminating or disabling critical system components, changing the configuration of system components, degrading critical functionality (e.g., restricting network bandwidth), or altering privileges. Automated, on-going, and simulated cyber-attacks and service disruptions can reveal unexpected functional dependencies and help the organization determine its ability to ensure resilience in the face of an actual cyber-attack.

 -

- are employed to disrupt and adversely affect the .

+

are employed to disrupt and adversely affect the .

 @@ -26465,9 +25020,7 @@ - + @@ -26545,9 +25098,7 @@ - + @@ -26589,9 +25140,7 @@ - +

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

@@ -26647,9 +25196,7 @@ - + @@ -26701,27 +25248,23 @@ - -

system operations for essential mission and business functions are defined;

- + +

system operations for essential mission and business functions are defined;

+ - + - -

time period consistent with recovery time and recovery point objectives is defined;

- + +

time period consistent with recovery time and recovery point objectives is defined;

+ - + @@ -26738,7 +25281,7 @@ -

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions within when the primary processing capabilities are unavailable;

+

Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions within when the primary processing capabilities are unavailable;

 @@ -26756,17 +25299,17 @@ -

an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions, is established within when the primary processing capabilities are unavailable;

+

an alternate processing site, including necessary agreements to permit the transfer and resumption of for essential mission and business functions, is established within when the primary processing capabilities are unavailable;

 -

the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for transfer;

+

the equipment and supplies required to transfer operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for transfer;

 -

the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for resumption;

+

the equipment and supplies required to resume operations are made available at the alternate processing site or if contracts are in place to support delivery to the site within for resumption;

 @@ -26811,9 +25354,7 @@ - + @@ -26855,9 +25396,7 @@ - + @@ -26906,9 +25445,7 @@ - +

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

@@ -26949,9 +25486,7 @@ - + @@ -27010,9 +25545,7 @@ - +

Plan and prepare for circumstances that preclude returning to the primary processing site.

@@ -27061,24 +25594,22 @@ - -

system operations to be resumed for essential mission and business functions are defined;

- + +

system operations to be resumed for essential mission and business functions are defined;

+ - -

time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;

- + +

time period within which to resume essential mission and business functions when the primary telecommunications capabilities are unavailable is defined;

+ - + @@ -27086,14 +25617,14 @@ -

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+

Establish alternate telecommunications services, including necessary agreements to permit the resumption of for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

 -

Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8 . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

+

Telecommunications services (for data and voice) for primary and alternate processing and storage sites are in scope for CP-8 . Alternate telecommunications services reflect the continuity requirements in contingency plans to maintain essential mission and business functions despite the loss of primary telecommunications services. Organizations may specify different time periods for primary or alternate sites. Alternate telecommunications services include additional organizational or commercial ground-based circuits or lines, network-based approaches to telecommunications, or the use of satellites. Organizations consider factors such as availability, quality of service, and access when entering into alternate telecommunications agreements.

 -

alternate telecommunications services, including necessary agreements to permit the resumption of , are established for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

+

alternate telecommunications services, including necessary agreements to permit the resumption of , are established for essential mission and business functions within when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

 @@ -27130,9 +25661,7 @@ - + @@ -27201,9 +25730,7 @@ - +

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

@@ -27243,9 +25770,7 @@ - +

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

@@ -27284,34 +25809,28 @@ Provider Contingency Plan - - + + - -

frequency at which to obtain evidence of contingency testing by providers is defined;

- + +

frequency at which to obtain evidence of contingency testing by providers is defined;

+ - -

frequency at which to obtain evidence of contingency training by providers is defined;

- + +

frequency at which to obtain evidence of contingency training by providers is defined;

+ - + @@ -27326,7 +25845,7 @@ -

Obtain evidence of contingency testing and training by providers .

+

Obtain evidence of contingency testing and training by providers .

 @@ -27353,11 +25872,11 @@ -

evidence of contingency testing by providers is obtained .

+

evidence of contingency testing by providers is obtained .

 -

evidence of contingency training by providers is obtained .

+

evidence of contingency training by providers is obtained .

 @@ -27392,27 +25911,25 @@ - -

frequency at which alternate telecommunications services are tested is defined;

- + +

frequency at which alternate telecommunications services are tested is defined;

+ - + -

Test alternate telecommunication services .

+

Test alternate telecommunication services .

Alternate telecommunications services testing is arranged through contractual agreements with service providers. The testing may occur in parallel with normal operations to ensure that there is no degradation in organizational missions or functions.

 -

alternate telecommunications services are tested .

+

alternate telecommunications services are tested .

 @@ -27451,49 +25968,41 @@ - -

system components for which to conduct backups of user-level information is defined;

- + +

system components for which to conduct backups of user-level information is defined;

+ - + - -

frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;

- + +

frequency at which to conduct backups of user-level information consistent with recovery time and recovery point objectives is defined;

+ - + - -

frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;

- + +

frequency at which to conduct backups of system-level information consistent with recovery time and recovery point objectives is defined;

+ - + - -

frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;

- + +

frequency at which to conduct backups of system documentation consistent with recovery time and recovery point objectives is defined;

+ - + @@ -27512,16 +26021,15 @@ -

Conduct backups of user-level information contained in - ;

+

Conduct backups of user-level information contained in ;

 -

Conduct backups of system-level information contained in the system ;

+

Conduct backups of system-level information contained in the system ;

 -

Conduct backups of system documentation, including security- and privacy-related documentation ; and

+

Conduct backups of system documentation, including security- and privacy-related documentation ; and

 @@ -27529,21 +26037,21 @@ -

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+

System-level information includes system state information, operating system software, middleware, application software, and licenses. User-level information includes information other than system-level information. Mechanisms employed to protect the integrity of system backups include digital signatures and cryptographic hashes. Protection of system backup information while in transit is addressed by MP-5 and SC-8 . System backups reflect the requirements in contingency plans as well as other organizational requirements for backing up information. Organizations may be subject to laws, executive orders, directives, regulations, or policies with requirements regarding specific categories of information (e.g., personal health information). Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

 -

backups of user-level information contained in are conducted ;

+

backups of user-level information contained in are conducted ;

 -

backups of system-level information contained in the system are conducted ;

+

backups of system-level information contained in the system are conducted ;

 -

backups of system documentation, including security- and privacy-related documentation are conducted ;

+

backups of system documentation, including security- and privacy-related documentation are conducted ;

 @@ -27594,38 +26102,32 @@ Testing for Reliability and Integrity - - + + - -

frequency at which to test backup information for media reliability is defined;

- + +

frequency at which to test backup information for media reliability is defined;

+ - -

frequency at which to test backup information for information integrity is defined;

- + +

frequency at which to test backup information for information integrity is defined;

+ - + -

Test backup information to verify media reliability and information integrity.

+

Test backup information to verify media reliability and information integrity.

Organizations need assurance that backup information can be reliably retrieved. Reliability pertains to the systems and system components where the backup information is stored, the operations used to retrieve the information, and the integrity of the information being retrieved. Independent and specialized tests can be used for each of the aspects of reliability. For example, decrypting and transporting (or transmitting) a random sample of backup files from the alternate storage or backup site and comparing the information to the same information at the primary processing site can provide such assurance.

@@ -27634,11 +26136,11 @@ -

backup information is tested to verify media reliability;

+

backup information is tested to verify media reliability;

 -

backup information is tested to verify information integrity.

+

backup information is tested to verify information integrity.

 @@ -27677,9 +26179,7 @@ - + @@ -27730,29 +26230,27 @@ - -

critical system software and other security-related information backups to be stored in a separate facility are defined;

- + +

critical system software and other security-related information backups to be stored in a separate facility are defined;

+ - + -

Store backup copies of in a separate facility or in a fire rated container that is not collocated with the operational system.

+

Store backup copies of in a separate facility or in a fire rated container that is not collocated with the operational system.

Separate storage for critical information applies to all critical information regardless of the type of backup storage media. Critical system software includes operating systems, middleware, cryptographic key management systems, and intrusion detection systems. Security-related information includes inventories of system hardware, software, and firmware components. Alternate storage sites, including geographically distributed architectures, serve as separate storage facilities for organizations. Organizations may provide separate storage by implementing automated backup processes at alternative storage sites (e.g., data centers). The General Services Administration (GSA) establishes standards and specifications for security and fire rated containers.

 -

backup copies of are stored in a separate facility or in a fire rated container that is not collocated with the operational system.

+

backup copies of are stored in a separate facility or in a fire rated container that is not collocated with the operational system.

 @@ -27789,41 +26287,35 @@ Transfer to Alternate Storage Site - - + + - -

time period consistent with recovery time and recovery point objectives is defined;

- + +

time period consistent with recovery time and recovery point objectives is defined;

+ - -

transfer rate consistent with recovery time and recovery point objectives is defined;

- + +

transfer rate consistent with recovery time and recovery point objectives is defined;

+ - + -

Transfer system backup information to the alternate storage site .

+

Transfer system backup information to the alternate storage site .

System backup information can be transferred to alternate storage sites either electronically or by the physical shipment of storage media.

@@ -27832,11 +26324,11 @@ -

system backup information is transferred to the alternate storage site for ;

+

system backup information is transferred to the alternate storage site for ;

 -

system backup information is transferred to the alternate storage site .

+

system backup information is transferred to the alternate storage site .

 @@ -27876,9 +26368,7 @@ - + @@ -27939,29 +26429,27 @@ - -

backup information for which to enforce dual authorization in order to delete or destroy is defined;

- + +

backup information for which to enforce dual authorization in order to delete or destroy is defined;

+ - + -

Enforce dual authorization for the deletion or destruction of .

+

Enforce dual authorization for the deletion or destruction of .

Dual authorization ensures that deletion or destruction of backup information cannot occur unless two qualified individuals carry out the task. Individuals deleting or destroying backup information possess the skills or expertise to determine if the proposed deletion or destruction of information reflects organizational policies and procedures. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals.

 -

dual authorization for the deletion or destruction of is enforced.

+

dual authorization for the deletion or destruction of is enforced.

 @@ -28001,29 +26489,27 @@ - -

backup information to protect against unauthorized disclosure and modification is defined;

- + +

backup information to protect against unauthorized disclosure and modification is defined;

+ - + -

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

+

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of .

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of backup information. The strength of mechanisms selected is commensurate with the security category or classification of the information. Cryptographic protection applies to system backup information in storage at both primary and alternate locations. Organizations that implement cryptographic mechanisms to protect information at rest also consider cryptographic key management solutions.

 -

cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of .

+

cryptographic mechanisms are implemented to prevent unauthorized disclosure and modification of .

 @@ -28058,34 +26544,28 @@ System Recovery and Reconstitution - - + + - -

time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;

- + +

time period consistent with recovery time and recovery point objectives for the recovery of the system is determined;

+ - -

time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;

- + +

time period consistent with recovery time and recovery point objectives for the reconstitution of the system is determined;

+ - + @@ -28097,7 +26577,7 @@ -

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

+

Provide for the recovery and reconstitution of the system to a known state within after a disruption, compromise, or failure.

Recovery is executing contingency plan activities to restore organizational mission and business functions. Reconstitution takes place following recovery and includes activities for returning systems to fully operational states. Recovery and reconstitution operations reflect mission and business priorities; recovery point, recovery time, and reconstitution objectives; and organizational metrics consistent with contingency plan requirements. Reconstitution includes the deactivation of interim system capabilities that may have been needed during recovery operations. Reconstitution also includes assessments of fully restored system capabilities, reestablishment of continuous monitoring activities, system reauthorization (if required), and activities to prepare the system and organization for future disruptions, breaches, compromises, or failures. Recovery and reconstitution capabilities can include automated mechanisms and manual procedures. Organizations establish recovery time and recovery point objectives as part of contingency planning.

@@ -28106,11 +26586,11 @@ -

the recovery of the system to a known state is provided within after a disruption, compromise, or failure;

+

the recovery of the system to a known state is provided within after a disruption, compromise, or failure;

 -

a reconstitution of the system to a known state is provided within after a disruption, compromise, or failure.

+

a reconstitution of the system to a known state is provided within after a disruption, compromise, or failure.

 @@ -28158,9 +26638,7 @@ - +

Implement transaction recovery for systems that are transaction-based.

@@ -28221,28 +26699,26 @@ - -

restoration time period within which to restore system components to a known, operational state is defined;

- + +

restoration time period within which to restore system components to a known, operational state is defined;

+ - + -

Provide the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

+

Provide the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components.

Restoration of system components includes reimaging, which restores the components to known, operational states.

 -

the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.

+

the capability to restore system components within from configuration-controlled and integrity-protected information representing a known, operational state for the components is provided.

 @@ -28289,9 +26765,7 @@ - + @@ -28350,28 +26824,26 @@ - -

alternative communications protocols in support of maintaining continuity of operations are defined;

- + +

alternative communications protocols in support of maintaining continuity of operations are defined;

+ - + -

Provide the capability to employ in support of maintaining continuity of operations.

+

Provide the capability to employ in support of maintaining continuity of operations.

Contingency plans and the contingency training or testing associated with those plans incorporate an alternate communications protocol capability as part of establishing resilience in organizational systems. Switching communications protocols may affect software applications and operational aspects of systems. Organizations assess the potential side effects of introducing alternate communications protocols prior to implementation.

 -

the capability to employ are provided in support of maintaining continuity of operations.

+

the capability to employ are provided in support of maintaining continuity of operations.

 @@ -28411,46 +26883,40 @@ Safe Mode - + - -

restrictions for safe mode of operation are defined;

- + +

restrictions for safe mode of operation are defined;

+ - -

conditions detected to enter a safe mode of operation are defined;

- + +

conditions detected to enter a safe mode of operation are defined;

+ - - + + -

When are detected, enter a safe mode of operation with .

+

When are detected, enter a safe mode of operation with .

For systems that support critical mission and business functions—including military operations, civilian space operations, nuclear power plant operations, and air traffic control operations (especially real-time operational environments)—organizations can identify certain conditions under which those systems revert to a predefined safe mode of operation. The safe mode of operation, which can be activated either automatically or manually, restricts the operations that systems can execute when those conditions are encountered. Restriction includes allowing only selected functions to execute that can be carried out under limited power or with reduced communications bandwidth.

 -

a safe mode of operation is entered with when are detected.

+

a safe mode of operation is entered with when are detected.

 @@ -28495,40 +26961,35 @@ - -

alternative or supplemental security mechanisms are defined;

- + +

alternative or supplemental security mechanisms are defined;

+ - -

security functions are defined;

- + +

security functions are defined;

+ - - + + -

Employ for satisfying when the primary means of implementing the security function is unavailable or compromised.

+

Employ for satisfying when the primary means of implementing the security function is unavailable or compromised.

Use of alternative security mechanisms supports system resiliency, contingency planning, and continuity of operations. To ensure mission and business continuity, organizations can implement alternative or supplemental security mechanisms. The mechanisms may be less effective than the primary mechanisms. However, having the capability to readily employ alternative or supplemental mechanisms enhances mission and business continuity that might otherwise be adversely impacted if operations had to be curtailed until the primary means of implementing the functions was restored. Given the cost and level of effort required to provide such alternative capabilities, the alternative or supplemental mechanisms are only applied to critical security capabilities provided by systems, system components, or system services. For example, an organization may issue one-time pads to senior executives, officials, and system administrators if multi-factor tokens—the standard means for achieving secure authentication— are compromised.

 -

- are employed for satisfying when the primary means of implementing the security function is unavailable or compromised.

+

are employed for satisfying when the primary means of implementing the security function is unavailable or compromised.

 @@ -28568,27 +27029,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the identification and authentication policy is to be disseminated are defined;

- + +

personnel or roles to whom the identification and authentication policy is to be disseminated are defined;

+ - -

personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the identification and authentication procedures are to be disseminated is/are defined;

+ @@ -28603,51 +27060,47 @@ - -

an official to manage the identification and authentication policy and procedures is defined;

- + +

an official to manage the identification and authentication policy and procedures is defined;

+ - -

the frequency at which the current identification and authentication policy is reviewed and updated is defined;

- + +

the frequency at which the current identification and authentication policy is reviewed and updated is defined;

+ - -

events that would require the current identification and authentication policy to be reviewed and updated are defined;

- + +

events that would require the current identification and authentication policy to be reviewed and updated are defined;

+ - -

the frequency at which the current identification and authentication procedures are reviewed and updated is defined;

- + +

the frequency at which the current identification and authentication procedures are reviewed and updated is defined;

+ - -

events that would require identification and authentication procedures to be reviewed and updated are defined;

- + +

events that would require identification and authentication procedures to be reviewed and updated are defined;

+ - - + + @@ -28666,11 +27119,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- identification and authentication policy that:

+

identification and authentication policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -28687,18 +27139,18 @@ -

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and

Review and update the current identification and authentication:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -28715,7 +27167,7 @@ -

the identification and authentication policy is disseminated to ;

+

the identification and authentication policy is disseminated to ;

 @@ -28723,7 +27175,7 @@ -

the identification and authentication procedures are disseminated to ;

+

the identification and authentication procedures are disseminated to ;

 @@ -28731,42 +27183,42 @@ -

the identification and authentication policy addresses purpose;

+

the identification and authentication policy addresses purpose;

 -

the identification and authentication policy addresses scope;

+

the identification and authentication policy addresses scope;

 -

the identification and authentication policy addresses roles;

+

the identification and authentication policy addresses roles;

 -

the identification and authentication policy addresses responsibilities;

+

the identification and authentication policy addresses responsibilities;

 -

the identification and authentication policy addresses management commitment;

+

the identification and authentication policy addresses management commitment;

 -

the identification and authentication policy addresses coordination among organizational entities;

+

the identification and authentication policy addresses coordination among organizational entities;

 -

the identification and authentication policy addresses compliance;

+

the identification and authentication policy addresses compliance;

 -

the identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+

the identification and authentication policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the identification and authentication policy and procedures;

 @@ -28774,22 +27226,22 @@ -

the current identification and authentication policy is reviewed and updated ;

+

the current identification and authentication policy is reviewed and updated ;

 -

the current identification and authentication policy is reviewed and updated following ;

+

the current identification and authentication policy is reviewed and updated following ;

 -

the current identification and authentication procedures are reviewed and updated ;

+

the current identification and authentication procedures are reviewed and updated ;

 -

the current identification and authentication procedures are reviewed and updated following .

+

the current identification and authentication procedures are reviewed and updated following .

 @@ -28820,12 +27272,8 @@ - - + + @@ -28864,9 +27312,9 @@

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

 -

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

+

Organizations can satisfy the identification and authentication requirements by complying with the requirements in HSPD 12 . Organizational users include employees or individuals who organizations consider to have an equivalent status to employees (e.g., contractors and guest researchers). Unique identification and authentication of users applies to all accesses other than those that are explicitly identified in AC-14 and that occur through the authorized use of group authenticators without individual authentication. Since processes execute on behalf of groups and roles, organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity.

Organizations employ passwords, physical authenticators, or biometrics to authenticate user identities or, in the case of multi-factor authentication, some combination thereof. Access to organizational systems is defined as either local access or network access. Local access is any access to organizational systems by users or processes acting on behalf of users, where access is obtained through direct connections without the use of networks. Network access is access to organizational systems by users (or processes acting on behalf of users) where access is obtained through network connections (i.e., nonlocal accesses). Remote access is a type of network access that involves communication through external networks. Internal networks include local area networks and wide area networks.

-

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

+

The use of encrypted virtual private networks for network connections between organization-controlled endpoints and non-organization-controlled endpoints may be treated as internal networks with respect to protecting the confidentiality and integrity of information traversing the network. Identification and authentication requirements for non-organizational users are described in IA-8.

 @@ -28916,9 +27364,7 @@ - + @@ -28970,9 +27416,7 @@ - + @@ -29039,12 +27483,8 @@ - - + +

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

@@ -29112,27 +27552,25 @@ - -

the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;

- + +

the strength of mechanism requirements to be enforced by a device separate from the system gaining access to accounts is defined;

+ - + -

Implement multi-factor authentication for access to such that:

+

Implement multi-factor authentication for access to such that:

One of the factors is provided by a device separate from the system gaining access; and

 -

The device meets .

+

The device meets .

 @@ -29142,11 +27580,11 @@ -

multi-factor authentication is implemented for access to such that one of the factors is provided by a device separate from the system gaining access;

+

multi-factor authentication is implemented for access to such that one of the factors is provided by a device separate from the system gaining access;

 -

multi-factor authentication is implemented for access to such that the device meets .

+

multi-factor authentication is implemented for access to such that the device meets .

 @@ -29203,19 +27641,17 @@ - + -

Implement replay-resistant authentication mechanisms for access to .

+

Implement replay-resistant authentication mechanisms for access to .

Authentication processes resist replay attacks if it is impractical to achieve successful authentications by replaying previous authentication messages. Replay-resistant techniques include protocols that use nonces or challenges such as time synchronous or cryptographic authenticators.

 -

replay-resistant authentication mechanisms for access to are implemented.

+

replay-resistant authentication mechanisms for access to are implemented.

 @@ -29265,26 +27701,24 @@ - -

system accounts and services for which a single sign-on capability must be provided are defined;

- + +

system accounts and services for which a single sign-on capability must be provided are defined;

+ - + -

Provide a single sign-on capability for .

+

Provide a single sign-on capability for .

Single sign-on enables users to log in once and gain access to multiple system resources. Organizations consider the operational efficiencies provided by single sign-on capabilities with the risk introduced by allowing access to multiple systems via a single authentication event. Single sign-on can present opportunities to improve system security, for example by providing the ability to add multi-factor authentication for applications and systems (existing and new) that may not be able to natively support multi-factor authentication.

 -

a single sign-on capability is provided for .

+

a single sign-on capability is provided for .

 @@ -29334,15 +27768,13 @@ - +

Accept and electronically verify Personal Identity Verification-compliant credentials.

 -

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

+

Acceptance of Personal Identity Verification (PIV)-compliant credentials applies to organizations implementing logical access control and physical access control systems. PIV-compliant credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidance documents. The adequacy and reliability of PIV card issuers are authorized using SP 800-79-2 . Acceptance of PIV-compliant credentials includes derived PIV credentials, the use of which is addressed in SP 800-166 . The DOD Common Access Card (CAC) is an example of a PIV credential.

 @@ -29389,38 +27821,35 @@ - -

out-of-band authentication mechanisms to be implemented are defined;

- + +

out-of-band authentication mechanisms to be implemented are defined;

+ - -

conditions under which out-of-band authentication is to be implemented are defined;

- + +

conditions under which out-of-band authentication is to be implemented are defined;

+ - + -

Implement the following out-of-band authentication mechanisms under : .

+

Implement the following out-of-band authentication mechanisms under : .

 -

Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path) is used to identify and authenticate users or devices and is generally the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. Out-of-band authentication can be used to mitigate actual or suspected man-in the-middle attacks. The conditions or criteria for activation include suspicious activities, new threat indicators, elevated threat levels, or the impact or classification level of information in requested transactions.

+

Out-of-band authentication refers to the use of two separate communication paths to identify and authenticate users or devices to an information system. The first path (i.e., the in-band path) is used to identify and authenticate users or devices and is generally the path through which information flows. The second path (i.e., the out-of-band path) is used to independently verify the authentication and/or requested action. For example, a user authenticates via a notebook computer to a remote server to which the user desires access and requests some action of the server via that communication path. Subsequently, the server contacts the user via the user’s cell phone to verify that the requested action originated from the user. The user may confirm the intended action to an individual on the telephone or provide an authentication code via the telephone. Out-of-band authentication can be used to mitigate actual or suspected man-in the-middle attacks. The conditions or criteria for activation include suspicious activities, new threat indicators, elevated threat levels, or the impact or classification level of information in requested transactions.

 -

- mechanisms are implemented under .

+

mechanisms are implemented under .

 @@ -29462,9 +27891,9 @@ - -

devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;

- + +

devices and/or types of devices to be uniquely identified and authenticated before establishing a connection are defined;

+ @@ -29478,9 +27907,7 @@ - + @@ -29493,15 +27920,14 @@ -

Uniquely identify and authenticate before establishing a connection.

+

Uniquely identify and authenticate before establishing a connection.

Devices that require unique device-to-device identification and authentication are defined by type, device, or a combination of type and device. Organization-defined device types include devices that are not owned by the organization. Systems use shared known information (e.g., Media Access Control [MAC], Transmission Control Protocol/Internet Protocol [TCP/IP] addresses) for device identification or organizational authentication solutions (e.g., Institute of Electrical and Electronics Engineers (IEEE) 802.1x and Extensible Authentication Protocol [EAP], RADIUS server with EAP-Transport Layer Security [TLS] authentication, Kerberos) to identify and authenticate devices on local and wide area networks. Organizations determine the required strength of authentication mechanisms based on the security categories of systems and mission or business requirements. Because of the challenges of implementing device authentication on a large scale, organizations can restrict the application of the control to a limited number/type of devices based on mission or business needs.

 -

- are uniquely identified and authenticated before establishing a connection.

+

are uniquely identified and authenticated before establishing a connection.

 @@ -29540,9 +27966,9 @@ - -

devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined;

- + +

devices and/or types of devices requiring use of cryptographically based, bidirectional authentication to authenticate before establishing one or more connections are defined;

+ @@ -29556,23 +27982,20 @@ - + -

Authenticate before establishing connection using bidirectional authentication that is cryptographically based.

+

Authenticate before establishing connection using bidirectional authentication that is cryptographically based.

A local connection is a connection with a device that communicates without the use of a network. A network connection is a connection with a device that communicates through a network. A remote connection is a connection with a device that communicates through an external network. Bidirectional authentication provides stronger protection to validate the identity of other devices for connections that are of greater risk.

 -

- are authenticated before establishing connection using bidirectional authentication that is cryptographically based.

+

are authenticated before establishing connection using bidirectional authentication that is cryptographically based.

 @@ -29618,40 +28041,34 @@ Dynamic Address Allocation - - + + - -

lease information to be employed to standardize dynamic address allocation for devices is defined;

- + +

lease information to be employed to standardize dynamic address allocation for devices is defined;

+ - -

lease duration to be employed to standardize dynamic address allocation for devices is defined;

- + +

lease duration to be employed to standardize dynamic address allocation for devices is defined;

+ - + -

Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with ; and

+

Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with ; and

 @@ -29667,11 +28084,11 @@ -

dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with ;

+

dynamic address allocation lease information assigned to devices where addresses are allocated dynamically are standardized in accordance with ;

 -

dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with ;

+

dynamic address allocation lease duration assigned to devices where addresses are allocated dynamically are standardized in accordance with ;

 @@ -29720,29 +28137,27 @@ - -

configuration management process to be employed to handle device identification and authentication based on attestation is defined;

- + +

configuration management process to be employed to handle device identification and authentication based on attestation is defined;

+ - + -

Handle device identification and authentication based on attestation by .

+

Handle device identification and authentication based on attestation by .

Device attestation refers to the identification and authentication of a device based on its configuration and known operating state. Device attestation can be determined via a cryptographic hash of the device. If device attestation is the means of identification and authentication, then it is important that patches and updates to the device are handled via a configuration management process such that the patches and updates are done securely and do not disrupt identification and authentication to other devices.

 -

device identification and authentication are handled based on attestation by .

+

device identification and authentication are handled based on attestation by .

 @@ -29786,24 +28201,22 @@ - -

personnel or roles from whom authorization must be received to assign an identifier are defined;

- + +

personnel or roles from whom authorization must be received to assign an identifier are defined;

+ - -

a time period for preventing reuse of identifiers is defined;

- + +

a time period for preventing reuse of identifiers is defined;

+ - + @@ -29830,7 +28243,7 @@

Manage system identifiers by:

-

Receiving authorization from to assign an individual, group, role, service, or device identifier;

+

Receiving authorization from to assign an individual, group, role, service, or device identifier;

 @@ -29842,17 +28255,17 @@ -

Preventing reuse of identifiers for .

+

Preventing reuse of identifiers for .

 -

Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

+

Common device identifiers include Media Access Control (MAC) addresses, Internet Protocol (IP) addresses, or device-unique token identifiers. The management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the usernames of the system accounts assigned to those individuals. In such instances, the account management activities of AC-2 use account names provided by IA-4 . Identifier management also addresses individual identifiers not necessarily associated with system accounts. Preventing the reuse of identifiers implies preventing the assignment of previously used individual, group, role, service, or device identifiers to different individuals, groups, roles, services, or devices.

 -

system identifiers are managed by receiving authorization from to assign to an individual, group, role, or device identifier;

+

system identifiers are managed by receiving authorization from to assign to an individual, group, role, or device identifier;

 @@ -29864,7 +28277,7 @@ -

system identifiers are managed by preventing reuse of identifiers for .

+

system identifiers are managed by preventing reuse of identifiers for .

 @@ -29904,9 +28317,7 @@ - + @@ -29971,31 +28382,27 @@ Identify User Status - + - -

characteristics used to identify individual status is defined;

- + +

characteristics used to identify individual status is defined;

+ - + -

Manage individual identifiers by uniquely identifying each individual as .

+

Manage individual identifiers by uniquely identifying each individual as .

Characteristics that identify the status of individuals include contractors, foreign nationals, and non-organizational users. Identifying the status of individuals by these characteristics provides additional information about the people with whom organizational personnel are communicating. For example, it might be useful for a government employee to know that one of the individuals on an email message is a contractor.

 -

individual identifiers are managed by uniquely identifying each individual as .

+

individual identifiers are managed by uniquely identifying each individual as .

 @@ -30032,27 +28439,25 @@ - -

a dynamic identifier policy for managing individual identifiers is defined;

- + +

a dynamic identifier policy for managing individual identifiers is defined;

+ - + -

Manage individual identifiers dynamically in accordance with .

+

Manage individual identifiers dynamically in accordance with .

In contrast to conventional approaches to identification that presume static accounts for preregistered users, many distributed systems establish identifiers at runtime for entities that were previously unknown. When identifiers are established at runtime for previously unknown entities, organizations can anticipate and provision for the dynamic establishment of identifiers. Pre-established trust relationships and mechanisms with appropriate authorities to validate credentials and related identifiers are essential.

 -

individual identifiers are dynamically managed in accordance with .

+

individual identifiers are dynamically managed in accordance with .

 @@ -30092,29 +28497,27 @@ - -

external organizations with whom to coordinate the cross-organization management of identifiers are defined;

- + +

external organizations with whom to coordinate the cross-organization management of identifiers are defined;

+ - + -

Coordinate with the following external organizations for cross-organization management of identifiers: .

+

Coordinate with the following external organizations for cross-organization management of identifiers: .

Cross-organization identifier management provides the capability to identify individuals, groups, roles, or devices when conducting cross-organization activities involving the processing, storage, or transmission of information.

 -

cross-organization management of identifiers is coordinated with .

+

cross-organization management of identifiers is coordinated with .

 @@ -30156,9 +28559,7 @@ - + @@ -30207,29 +28608,25 @@ - -

protected central storage used to maintain the attributes for each uniquely identified individual, device, or service is defined;

- + +

protected central storage used to maintain the attributes for each uniquely identified individual, device, or service is defined;

+ - - + + -

Maintain the attributes for each uniquely identified individual, device, or service in .

+

Maintain the attributes for each uniquely identified individual, device, or service in .

 -

For each of the entities covered in IA-2, IA-3, IA-8 , and IA-9 , it is important to maintain the attributes for each authenticated entity on an ongoing basis in a central (protected) store.

+

For each of the entities covered in IA-2, IA-3, IA-8 , and IA-9 , it is important to maintain the attributes for each authenticated entity on an ongoing basis in a central (protected) store.

 -

the attributes for each uniquely identified individual, device, or service are maintained in .

+

the attributes for each uniquely identified individual, device, or service are maintained in .

 @@ -30268,27 +28665,23 @@ - -

a time period for changing or refreshing authenticators by authenticator type is defined;

- + +

a time period for changing or refreshing authenticators by authenticator type is defined;

+ - -

events that trigger the change or refreshment of authenticators are defined;

- + +

events that trigger the change or refreshment of authenticators are defined;

+ - - + + @@ -30339,7 +28732,7 @@ -

Changing or refreshing authenticators or when occur;

+

Changing or refreshing authenticators or when occur;

 @@ -30355,7 +28748,7 @@ -

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

+

Authenticators include passwords, cryptographic devices, biometrics, certificates, one-time password devices, and ID badges. Device authenticators include certificates and passwords. Initial authenticator content is the actual content of the authenticator (e.g., the initial password). In contrast, the requirements for authenticator content contain specific criteria or characteristics (e.g., minimum password length). Developers may deliver system components with factory default authentication credentials (i.e., passwords) to allow for initial installation and configuration. Default authentication credentials are often well known, easily discoverable, and present a significant risk. The requirement to protect individual authenticators may be implemented via control PL-4 or PS-6 for authenticators in the possession of individuals and by controls AC-3, AC-6 , and SC-28 for authenticators stored in organizational systems, including passwords stored in hashed or encrypted formats or files containing encrypted or hashed passwords accessible with administrator privileges.

Systems support authenticator management by organization-defined settings and restrictions for various authenticator characteristics (e.g., minimum password length, validation time window for time synchronous one-time tokens, and number of allowed rejections during the verification stage of biometric authentication). Actions can be taken to safeguard individual authenticators, including maintaining possession of authenticators, not sharing authenticators with others, and immediately reporting lost, stolen, or compromised authenticators. Authenticator management includes issuing and revoking authenticators for temporary access when no longer needed.

 @@ -30382,7 +28775,7 @@ -

system authenticators are managed through the change or refreshment of authenticators or when occur;

+

system authenticators are managed through the change or refreshment of authenticators or when occur;

 @@ -30441,34 +28834,30 @@ - -

the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;

- + +

the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;

+ - -

authenticator composition and complexity rules are defined;

- + +

authenticator composition and complexity rules are defined;

+ - - + +

For password-based authentication:

-

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

+

Maintain a list of commonly-used, expected, or compromised passwords and update the list and when organizational passwords are suspected to have been compromised directly or indirectly;

 @@ -30496,7 +28885,7 @@ -

Enforce the following composition and complexity rules: .

+

Enforce the following composition and complexity rules: .

 @@ -30506,7 +28895,7 @@ -

for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated and when organizational passwords are suspected to have been compromised directly or indirectly;

+

for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated and when organizational passwords are suspected to have been compromised directly or indirectly;

 @@ -30534,7 +28923,7 @@ -

for password-based authentication, are enforced.

+

for password-based authentication, are enforced.

 @@ -30574,9 +28963,7 @@ - + @@ -30687,9 +29074,7 @@ - +

Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.

@@ -30737,9 +29122,7 @@ - + @@ -30789,9 +29172,7 @@ - +

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

@@ -30842,28 +29223,25 @@ - -

security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;

- + +

security controls implemented to manage the risk of compromise due to individuals having accounts on multiple systems are defined;

+ - + -

Implement to manage the risk of compromise due to individuals having accounts on multiple systems.

+

Implement to manage the risk of compromise due to individuals having accounts on multiple systems.

 -

When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see PL-4 ) and access agreements (see PS-6 ) to mitigate the risk of multiple system accounts.

+

When individuals have accounts on multiple systems and use the same authenticators such as passwords, there is the risk that a compromise of one account may lead to the compromise of other accounts. Alternative approaches include having different authenticators (passwords) on all systems, employing a single sign-on or federation mechanism, or using some form of one-time passwords on all systems. Organizations can also use rules of behavior (see PL-4 ) and access agreements (see PS-6 ) to mitigate the risk of multiple system accounts.

 -

- are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.

+

are implemented to manage the risk of compromise due to individuals having accounts on multiple systems.

 @@ -30900,29 +29278,26 @@ - -

external organizations to be used for federating credentials are defined;

- + +

external organizations to be used for federating credentials are defined;

+ - + -

Use the following external organizations to federate credentials: .

+

Use the following external organizations to federate credentials: .

Federation provides organizations with the capability to authenticate individuals and devices when conducting cross-organization activities involving the processing, storage, or transmission of information. Using a specific list of approved external organizations for authentication helps to ensure that those organizations are vetted and trusted.

 -

- are used to federate credentials.

+

are used to federate credentials.

 @@ -30959,28 +29334,26 @@ - -

rules for dynamically binding identities and authenticators are defined;

- + +

rules for dynamically binding identities and authenticators are defined;

+ - + -

Bind identities and authenticators dynamically using the following rules: .

+

Bind identities and authenticators dynamically using the following rules: .

Authentication requires some form of binding between an identity and the authenticator that is used to confirm the identity. In conventional approaches, binding is established by pre-provisioning both the identity and the authenticator to the system. For example, the binding between a username (i.e., identity) and a password (i.e., authenticator) is accomplished by provisioning the identity and authenticator as a pair in the system. New authentication techniques allow the binding between the identity and the authenticator to be implemented external to a system. For example, with smartcard credentials, the identity and authenticator are bound together on the smartcard. Using these credentials, systems can authenticate identities that have not been pre-provisioned, dynamically provisioning the identity after authentication. In these situations, organizations can anticipate the dynamic provisioning of identities. Pre-established trust relationships and mechanisms with appropriate authorities to validate identities and related credentials are essential.

 -

identities and authenticators are dynamically bound using .

+

identities and authenticators are dynamically bound using .

 @@ -31029,27 +29402,25 @@ - -

biometric quality requirements for biometric-based authentication are defined;

- + +

biometric quality requirements for biometric-based authentication are defined;

+ - + -

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements .

+

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements .

Unlike password-based authentication, which provides exact matches of user-input passwords to stored passwords, biometric authentication does not provide exact matches. Depending on the type of biometric and the type of collection mechanism, there is likely to be some divergence from the presented biometric and the stored biometric that serves as the basis for comparison. Matching performance is the rate at which a biometric algorithm correctly results in a match for a genuine user and rejects other users. Biometric performance requirements include the match rate, which reflects the accuracy of the biometric matching algorithm used by a system.

 -

mechanisms that satisfy are employed for biometric-based authentication.

+

mechanisms that satisfy are employed for biometric-based authentication.

 @@ -31090,26 +29461,24 @@ - -

the time period after which the use of cached authenticators is prohibited is defined;

- + +

the time period after which the use of cached authenticators is prohibited is defined;

+ - + -

Prohibit the use of cached authenticators after .

+

Prohibit the use of cached authenticators after .

Cached authenticators are used to authenticate to the local machine when the network is not available. If cached authentication information is out of date, the validity of the authentication information may be questionable.

 -

the use of cached authenticators is prohibited after .

+

the use of cached authenticators is prohibited after .

 @@ -31147,9 +29516,7 @@ - +

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.

@@ -31200,9 +29567,7 @@ - +

Use only General Services Administration-approved products and services for identity, credential, and access management.

@@ -31252,9 +29617,9 @@ - -

types of and/or specific authenticators to be issued are defined;

- + +

types of and/or specific authenticators to be issued are defined;

+ @@ -31268,35 +29633,33 @@ - -

the registration authority that issues authenticators is defined;

- + +

the registration authority that issues authenticators is defined;

+ - -

the personnel or roles who authorize the issuance of authenticators are defined;

- + +

the personnel or roles who authorize the issuance of authenticators are defined;

+ - + -

Require that the issuance of be conducted before with authorization by .

+

Require that the issuance of be conducted before with authorization by .

Issuing authenticators in person or by a trusted external party enhances and reinforces the trustworthiness of the identity proofing process.

 -

the issuance of is required to be conducted before with authorization by .

+

the issuance of is required to be conducted before with authorization by .

 @@ -31335,9 +29698,7 @@ - + @@ -31388,48 +29749,45 @@ - -

password managers employed for generating and managing passwords are defined;

- + +

password managers employed for generating and managing passwords are defined;

+ - -

controls for protecting passwords are defined;

- + +

controls for protecting passwords are defined;

+ - + -

Employ to generate and manage passwords; and

+

Employ to generate and manage passwords; and

 -

Protect the passwords using .

+

Protect the passwords using .

 -

For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see IA-5(1)(d) ) and storing the collection offline in a token.

+

For systems where static passwords are employed, it is often a challenge to ensure that the passwords are suitably complex and that the same passwords are not employed on multiple systems. A password manager is a solution to this problem as it automatically generates and stores strong and different passwords for various accounts. A potential risk of using password managers is that adversaries can target the collection of passwords generated by the password manager. Therefore, the collection of passwords requires protection including encrypting the passwords (see IA-5(1)(d) ) and storing the collection offline in a token.

 -

- are employed to generate and manage passwords;

+

are employed to generate and manage passwords;

 -

the passwords are protected using .

+

the passwords are protected using .

 @@ -31470,9 +29828,7 @@ - +

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

@@ -31519,9 +29875,7 @@ - + @@ -31574,9 +29928,7 @@ - + @@ -31603,7 +29955,7 @@

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

 -

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

+

Non-organizational users include system users other than organizational users explicitly covered by IA-2 . Non-organizational users are uniquely identified and authenticated for accesses other than those explicitly identified and documented in AC-14 . Identification and authentication of non-organizational users accessing federal systems may be required to protect federal, proprietary, or privacy-related information (with exceptions noted for national security systems). Organizations consider many factors—including security, privacy, scalability, and practicality—when balancing the need to ensure ease of use for access to federal information and systems with the need to protect and adequately mitigate risk.

 @@ -31646,16 +29998,14 @@ - +

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

 -

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using SP 800-79-2.

+

Acceptance of Personal Identity Verification (PIV) credentials from other federal agencies applies to both logical and physical access control systems. PIV credentials are those credentials issued by federal agencies that conform to FIPS Publication 201 and supporting guidelines. The adequacy and reliability of PIV card issuers are addressed and authorized using SP 800-79-2.

 @@ -31709,9 +30059,7 @@ - + @@ -31724,7 +30072,7 @@ -

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

+

Acceptance of only NIST-compliant external authenticators applies to organizational systems that are accessible to the public (e.g., public-facing websites). External authenticators are issued by nonfederal government entities and are compliant with SP 800-63B . Approved external authenticators meet or exceed the minimum Federal Government-wide technical, security, privacy, and organizational maturity requirements. Meeting or exceeding Federal requirements allows Federal Government relying parties to trust external authenticators in connection with an authentication transaction at a specified authenticator assurance level.

 @@ -31782,7 +30130,7 @@ - Use of FICAM-approved Products + Use of FICAM-approved Products @@ -31795,26 +30143,24 @@ - -

identity management profiles are defined;

- + +

identity management profiles are defined;

+ - + -

Conform to the following profiles for identity management .

+

Conform to the following profiles for identity management .

Organizations define profiles for identity management based on open identity management standards. To ensure that open identity management standards are viable, robust, reliable, sustainable, and interoperable as documented, the Federal Government assesses and scopes the standards and technology implementations against applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

 -

there is conformance with for identity management.

+

there is conformance with for identity management.

 @@ -31854,19 +30200,17 @@ - -

a policy for using federated or PKI credentials is defined;

- + +

a policy for using federated or PKI credentials is defined;

+ - + -

Accept and verify federated or PKI credentials that meet .

+

Accept and verify federated or PKI credentials that meet .

Acceptance of PIV-I credentials can be implemented by PIV, PIV-I, and other commercial or external identity providers. The acceptance and verification of PIV-I-compliant credentials apply to both logical and physical access control systems. The acceptance and verification of PIV-I credentials address nonfederal issuers of identity cards that desire to interoperate with United States Government PIV systems and that can be trusted by Federal Government-relying parties. The X.509 certificate policy for the Federal Bridge Certification Authority (FBCA) addresses PIV-I requirements. The PIV-I card is commensurate with the PIV credentials as defined in cited references. PIV-I credentials are the credentials issued by a PIV-I provider whose PIV-I certificate policy maps to the Federal Bridge PIV-I Certificate Policy. A PIV-I provider is cross-certified with the FBCA (directly or through another PKI bridge) with policies that have been mapped and approved as meeting the requirements of the PIV-I policies defined in the FBCA certificate policy.

@@ -31875,11 +30219,11 @@ -

federated or PKI credentials that meet are accepted;

+

federated or PKI credentials that meet are accepted;

 -

federated or PKI credentials that meet are verified.

+

federated or PKI credentials that meet are verified.

 @@ -31924,27 +30268,24 @@ - -

disassociability measures are defined;

- + +

disassociability measures are defined;

+ - + -

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: .

+

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: .

Federated identity solutions can create increased privacy risks due to the tracking and profiling of individuals. Using identifier mapping tables or cryptographic techniques to blind credential service providers and relying parties from each other or to make identity attributes less visible to transmitting parties can reduce these privacy risks.

 -

- to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.

+

to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties are implemented.

 @@ -31986,33 +30327,28 @@ - -

system services and applications to be uniquely identified and authenticated are defined;

- + +

system services and applications to be uniquely identified and authenticated are defined;

+ - - + + -

Uniquely identify and authenticate before establishing communications with devices, users, or other services or applications.

+

Uniquely identify and authenticate before establishing communications with devices, users, or other services or applications.

Services that may require identification and authentication include web applications using digital certificates or services or applications that query a database. Identification and authentication methods for system services and applications include information or code signing, provenance graphs, and electronic signatures that indicate the sources of services. Decisions regarding the validity of identification and authentication claims can be made by services separate from the services acting on those decisions. This can occur in distributed system architectures. In such situations, the identification and authentication decisions (instead of actual identifiers and authentication data) are provided to the services that need to act on those decisions.

 -

- are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.

+

are uniquely identified and authenticated before establishing communications with devices, users, or other services or applications.

 @@ -32069,36 +30405,34 @@ - -

supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined;

- + +

supplemental authentication techniques or mechanisms to be employed when accessing the system under specific circumstances or situations are defined;

+ - -

circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined;

- + +

circumstances or situations that require individuals accessing the system to employ supplemental authentication techniques or mechanisms are defined;

+ - + -

Require individuals accessing the system to employ under specific .

+

Require individuals accessing the system to employ under specific .

Adversaries may compromise individual authentication mechanisms employed by organizations and subsequently attempt to impersonate legitimate users. To address this threat, organizations may employ specific techniques or mechanisms and establish protocols to assess suspicious behavior. Suspicious behavior may include accessing information that individuals do not typically access as part of their duties, roles, or responsibilities; accessing greater quantities of information than individuals would routinely access; or attempting to access information from suspicious network addresses. When pre-established conditions or triggers occur, organizations can require individuals to provide additional authentication information. Another potential use for adaptive authentication is to increase the strength of mechanism based on the number or types of records being accessed. Adaptive authentication does not replace and is not used to avoid the use of multi-factor authentication mechanisms but can augment implementations of multi-factor authentication.

 -

individuals accessing the system are required to employ under specific .

+

individuals accessing the system are required to employ under specific .

 @@ -32137,24 +30471,18 @@ Re-authentication - + - -

circumstances or situations requiring re-authentication are defined;

- + +

circumstances or situations requiring re-authentication are defined;

+ - - + + @@ -32162,14 +30490,14 @@ -

Require users to re-authenticate when .

+

Require users to re-authenticate when .

In addition to the re-authentication requirements associated with device locks, organizations may require re-authentication of individuals in certain situations, including when roles, authenticators or credentials change, when security categories of systems change, when the execution of privileged functions occurs, after a fixed time period, or periodically.

 -

users are required to re-authenticate when .

+

users are required to re-authenticate when .

 @@ -32209,9 +30537,7 @@ - + @@ -32239,7 +30565,7 @@ -

Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include SP 800-63-3 and SP 800-63A . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

+

Identity proofing is the process of collecting, validating, and verifying a user’s identity information for the purposes of establishing credentials for accessing a system. Identity proofing is intended to mitigate threats to the registration of users and the establishment of their accounts. Standards and guidelines specifying identity assurance levels for identity proofing include SP 800-63-3 and SP 800-63A . Organizations may be subject to laws, executive orders, directives, regulations, or policies that address the collection of identity evidence. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such requirements.

 @@ -32302,9 +30628,7 @@ - +

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

@@ -32350,9 +30674,7 @@ - +

Require evidence of individual identification be presented to the registration authority.

@@ -32397,31 +30719,27 @@ Identity Evidence Validation and Verification - + - -

methods of validation and verification of identity evidence are defined;

- + +

methods of validation and verification of identity evidence are defined;

+ - + -

Require that the presented identity evidence be validated and verified through .

+

Require that the presented identity evidence be validated and verified through .

Validation and verification of identity evidence increases the assurance that accounts and identifiers are being established for the correct user and authenticators are being bound to that user. Validation refers to the process of confirming that the evidence is genuine and authentic, and the data contained in the evidence is correct, current, and related to an individual. Verification confirms and establishes a linkage between the claimed identity and the actual existence of the user presenting the evidence. Acceptable methods for validating and verifying identity evidence are consistent with the risks to the systems, roles, and privileges associated with the users account.

 -

the presented identity evidence is validated and verified through .

+

the presented identity evidence is validated and verified through .

 @@ -32457,9 +30775,7 @@ - +

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

@@ -32513,20 +30829,18 @@ - + -

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

+

Require that a be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

To make it more difficult for adversaries to pose as legitimate users during the identity proofing process, organizations can use out-of-band methods to ensure that the individual associated with an address of record is the same individual that participated in the registration. Confirmation can take the form of a temporary enrollment code or a notice of proofing. The delivery address for these artifacts is obtained from records and not self-asserted by the user. The address can include a physical or digital address. A home address is an example of a physical address. Email addresses and telephone numbers are examples of digital addresses.

 -

a is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.

+

a is delivered through an out-of-band channel to verify the user’s address (physical or digital) of record.

 @@ -32563,30 +30877,28 @@ - -

an identity assurance level for accepting externally proofed identities is defined;

- + +

an identity assurance level for accepting externally proofed identities is defined;

+ - + -

Accept externally-proofed identities at .

+

Accept externally-proofed identities at .

To limit unnecessary re-proofing of identities, particularly of non-PIV users, organizations accept proofing conducted at a commensurate level of assurance by other agencies or organizations. Proofing is consistent with organizational security policy and the identity assurance level appropriate for the system, application, or information accessed. Accepting externally-proofed identities is a fundamental component of managing federated identities across agencies and organizations.

 -

externally proofed identities are accepted .

+

externally proofed identities are accepted .

 @@ -32624,27 +30936,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the incident response policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the incident response policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the incident response procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the incident response procedures are to be disseminated is/are defined;

+ @@ -32659,51 +30967,47 @@ - -

an official to manage the incident response policy and procedures is defined;

- + +

an official to manage the incident response policy and procedures is defined;

+ - -

the frequency at which the current incident response policy is reviewed and updated is defined;

- + +

the frequency at which the current incident response policy is reviewed and updated is defined;

+ - -

events that would require the current incident response policy to be reviewed and updated are defined;

- + +

events that would require the current incident response policy to be reviewed and updated are defined;

+ - -

the frequency at which the current incident response procedures are reviewed and updated is defined;

- + +

the frequency at which the current incident response procedures are reviewed and updated is defined;

+ - -

events that would require the incident response procedures to be reviewed and updated are defined;

- + +

events that would require the incident response procedures to be reviewed and updated are defined;

+ - - + + @@ -32718,11 +31022,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- incident response policy that:

+

incident response policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -32739,18 +31042,18 @@ -

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the incident response policy and procedures; and

Review and update the current incident response:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -32767,7 +31070,7 @@ -

the incident response policy is disseminated to ;

+

the incident response policy is disseminated to ;

 @@ -32775,7 +31078,7 @@ -

the incident response procedures are disseminated to ;

+

the incident response procedures are disseminated to ;

 @@ -32783,42 +31086,42 @@ -

the incident response policy addresses purpose;

+

the incident response policy addresses purpose;

 -

the incident response policy addresses scope;

+

the incident response policy addresses scope;

 -

the incident response policy addresses roles;

+

the incident response policy addresses roles;

 -

the incident response policy addresses responsibilities;

+

the incident response policy addresses responsibilities;

 -

the incident response policy addresses management commitment;

+

the incident response policy addresses management commitment;

 -

the incident response policy addresses coordination among organizational entities;

+

the incident response policy addresses coordination among organizational entities;

 -

the incident response policy addresses compliance;

+

the incident response policy addresses compliance;

 -

the incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the incident response policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the incident response policy and procedures;

 @@ -32826,22 +31129,22 @@ -

the current incident response policy is reviewed and updated ;

+

the current incident response policy is reviewed and updated ;

 -

the current incident response policy is reviewed and updated following ;

+

the current incident response policy is reviewed and updated following ;

 -

the current incident response procedures are reviewed and updated ;

+

the current incident response procedures are reviewed and updated ;

 -

the current incident response procedures are reviewed and updated following .

+

the current incident response procedures are reviewed and updated following .

 @@ -32871,43 +31174,39 @@ - -

a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;

- + +

a time period within which incident response training is to be provided to system users assuming an incident response role or responsibility is defined;

+ - -

frequency at which to provide incident response training to users is defined;

- + +

frequency at which to provide incident response training to users is defined;

+ - -

frequency at which to review and update incident response training content is defined;

- + +

frequency at which to review and update incident response training content is defined;

+ - -

events that initiate a review of the incident response training content are defined;

- + +

events that initiate a review of the incident response training content are defined;

+ - - + + @@ -32924,7 +31223,7 @@

Provide incident response training to system users consistent with assigned roles and responsibilities:

-

Within of assuming an incident response role or responsibility or acquiring system access;

+

Within of assuming an incident response role or responsibility or acquiring system access;

 @@ -32932,17 +31231,16 @@ -

- thereafter; and

+

thereafter; and

 -

Review and update incident response training content and following .

+

Review and update incident response training content and following .

 -

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+

Incident response training is associated with the assigned roles and responsibilities of organizational personnel to ensure that the appropriate content and level of detail are included in such training. For example, users may only need to know who to call or how to recognize an incident; system administrators may require additional training on how to handle incidents; and incident responders may receive more specific training on forensics, data collection techniques, reporting, system recovery, and system restoration. Incident response training includes user training in identifying and reporting suspicious activities from external and internal sources. Incident response training for users may be provided as part of AT-2 or AT-3 . Events that may precipitate an update to incident response training content include, but are not limited to, incident response plan testing or response to an actual incident (lessons learned), assessment or audit findings, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

 @@ -32950,7 +31248,7 @@ -

incident response training is provided to system users consistent with assigned roles and responsibilities within of assuming an incident response role or responsibility or acquiring system access;

+

incident response training is provided to system users consistent with assigned roles and responsibilities within of assuming an incident response role or responsibility or acquiring system access;

 @@ -32958,18 +31256,18 @@ -

incident response training is provided to system users consistent with assigned roles and responsibilities thereafter;

+

incident response training is provided to system users consistent with assigned roles and responsibilities thereafter;

 -

incident response training content is reviewed and updated ;

+

incident response training content is reviewed and updated ;

 -

incident response training content is reviewed and updated following .

+

incident response training content is reviewed and updated following .

 @@ -33002,12 +31300,8 @@ - - + +

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

@@ -33055,29 +31349,25 @@ - -

automated mechanisms used in an incident response training environment are defined;

- + +

automated mechanisms used in an incident response training environment are defined;

+ - - + + -

Provide an incident response training environment using .

+

Provide an incident response training environment using .

Automated mechanisms can provide a more thorough and realistic incident response training environment. This can be accomplished, for example, by providing more complete coverage of incident response issues, selecting more realistic training scenarios and environments, and stressing the response capability.

 -

an incident response training environment is provided using .

+

an incident response training environment is provided using .

 @@ -33115,18 +31405,14 @@ - - + +

Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

 -

For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See IR-2(1).

+

For federal agencies, an incident that involves personally identifiable information is considered a breach. A breach results in the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or a similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information or an authorized user accesses or potentially accesses such information for other than authorized purposes. The incident response training emphasizes the obligation of individuals to report both confirmed and suspected breaches involving information in any medium or form, including paper, oral, and electronic. Incident response training includes tabletop exercises that simulate a breach. See IR-2(1).

 @@ -33173,27 +31459,23 @@ - -

frequency at which to test the effectiveness of the incident response capability for the system is defined;

- + +

frequency at which to test the effectiveness of the incident response capability for the system is defined;

+ - -

tests used to test the effectiveness of the incident response capability for the system are defined;

- + +

tests used to test the effectiveness of the incident response capability for the system are defined;

+ - - + + @@ -33204,14 +31486,14 @@ -

Test the effectiveness of the incident response capability for the system using the following tests: .

+

Test the effectiveness of the incident response capability for the system using the following tests: .

Organizations test incident response capabilities to determine their effectiveness and identify potential weaknesses or deficiencies. Incident response testing includes the use of checklists, walk-through or tabletop exercises, and simulations (parallel or full interrupt). Incident response testing can include a determination of the effects on organizational operations and assets and individuals due to incident response. The use of qualitative and quantitative data aids in determining the effectiveness of incident response processes.

 -

the effectiveness of the incident response capability for the system is tested using .

+

the effectiveness of the incident response capability for the system is tested using .

 @@ -33245,29 +31527,25 @@ - -

automated mechanisms used to test the incident response capability are defined;

- + +

automated mechanisms used to test the incident response capability are defined;

+ - - + + -

Test the incident response capability using .

+

Test the incident response capability using .

Organizations use automated mechanisms to more thoroughly and effectively test incident response capabilities. This can be accomplished by providing more complete coverage of incident response issues, selecting realistic test scenarios and environments, and stressing the response capability.

 -

the incident response capability is tested using .

+

the incident response capability is tested using .

 @@ -33308,12 +31586,8 @@ - - + +

Coordinate incident response testing with organizational elements responsible for related plans.

@@ -33361,12 +31635,8 @@ - - + +

Use qualitative and quantitative data from testing to:

@@ -33475,9 +31745,7 @@ - + @@ -33630,26 +31898,24 @@ - -

automated mechanisms used to support the incident handling process are defined;

- + +

automated mechanisms used to support the incident handling process are defined;

+ - + -

Support the incident handling process using .

+

Support the incident handling process using .

Automated mechanisms that support incident handling processes include online incident management systems and tools that support the collection of live response data, full network packet capture, and forensic analysis.

 -

the incident handling process is supported using .

+

the incident handling process is supported using .

 @@ -33688,38 +31954,35 @@ - -

types of dynamic reconfiguration for system components are defined;

- + +

types of dynamic reconfiguration for system components are defined;

+ - -

system components that require dynamic reconfiguration are defined;

- + +

system components that require dynamic reconfiguration are defined;

+ - + -

Include the following types of dynamic reconfiguration for as part of the incident response capability: .

+

Include the following types of dynamic reconfiguration for as part of the incident response capability: .

Dynamic reconfiguration includes changes to router rules, access control lists, intrusion detection or prevention system parameters, and filter rules for guards or firewalls. Organizations may perform dynamic reconfiguration of systems to stop attacks, misdirect attackers, and isolate components of systems, thus limiting the extent of the damage from breaches or compromises. Organizations include specific time frames for achieving the reconfiguration of systems in the definition of the reconfiguration capability, considering the potential need for rapid response to effectively address cyber threats.

 -

- for are included as part of the incident response capability.

+

for are included as part of the incident response capability.

 @@ -33759,45 +32022,39 @@ - -

classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined;

- + +

classes of incidents requiring an organization-defined action (defined in IR-04(03)_ODP[02]) to be taken are defined;

+ - + - -

actions to be taken in response to organization-defined classes of incidents are defined;

- + +

actions to be taken in response to organization-defined classes of incidents are defined;

+ - + -

Identify and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: .

+

Identify and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: .

 -

Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of IR-4(5).

+

Classes of incidents include malfunctions due to design or implementation errors and omissions, targeted malicious attacks, and untargeted malicious attacks. Incident response actions include orderly system degradation, system shutdown, fall back to manual mode or activation of alternative technology whereby the system operates differently, employing deceptive measures, alternate information flows, or operating in a mode that is reserved for when systems are under attack. Organizations consider whether continuity of operations requirements during an incident conflict with the capability to automatically disable the system as specified as part of IR-4(5).

 -

- are identified;

+

are identified;

 -

- are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.

+

are taken in response to those incidents (defined in IR-04(03)_ODP[01]) to ensure the continuation of organizational mission and business functions.

 @@ -33835,9 +32092,7 @@ - +

Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.

@@ -33896,29 +32151,25 @@ - -

security violations that automatically disable a system are defined;

- + +

security violations that automatically disable a system are defined;

+ - - + + -

Implement a configurable capability to automatically disable the system if are detected.

+

Implement a configurable capability to automatically disable the system if are detected.

 -

Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of CP-2 or IR-4(3) . Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals.

+

Organizations consider whether the capability to automatically disable the system conflicts with continuity of operations requirements specified as part of CP-2 or IR-4(3) . Security violations include cyber-attacks that have compromised the integrity of the system or exfiltrated organizational information and serious errors in software programs that could adversely impact organizational missions or functions or jeopardize the safety of individuals.

 -

a configurable capability is implemented to automatically disable the system if are detected.

+

a configurable capability is implemented to automatically disable the system if are detected.

 @@ -33958,9 +32209,7 @@ - +

Implement an incident handling capability for incidents involving insider threats.

@@ -34009,19 +32258,17 @@ - -

entities that require coordination for an incident handling capability for insider threats are defined;

- + +

entities that require coordination for an incident handling capability for insider threats are defined;

+ - + -

Coordinate an incident handling capability for insider threats that includes the following organizational entities .

+

Coordinate an incident handling capability for insider threats that includes the following organizational entities .

Incident handling for insider threat incidents (e.g., preparation, detection and analysis, containment, eradication, and recovery) requires coordination among many organizational entities, including mission or business owners, system owners, human resources offices, procurement offices, personnel offices, physical security offices, senior agency information security officer, operations personnel, risk executive (function), senior agency official for privacy, and legal counsel. In addition, organizations may require external support from federal, state, and local law enforcement agencies.

@@ -34034,7 +32281,7 @@ -

the coordinated incident handling capability includes .

+

the coordinated incident handling capability includes .

 @@ -34074,36 +32321,34 @@ - -

external organizations with whom organizational incident information is to be coordinated and shared are defined;

- + +

external organizations with whom organizational incident information is to be coordinated and shared are defined;

+ - -

incident information to be correlated and shared with organization-defined external organizations are defined;

- + +

incident information to be correlated and shared with organization-defined external organizations are defined;

+ - + -

Coordinate with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

+

Coordinate with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

The coordination of incident information with external organizations—including mission or business partners, military or coalition partners, customers, and developers—can provide significant benefits. Cross-organizational coordination can serve as an important risk management capability. This capability allows organizations to leverage information from a variety of sources to effectively respond to incidents and breaches that could potentially affect the organization’s operations, assets, and individuals.

 -

there is coordination with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

+

there is coordination with to correlate and share to achieve a cross-organization perspective on incident awareness and more effective incident responses.

 @@ -34142,27 +32387,24 @@ - -

dynamic response capabilities to be employed to respond to incidents are defined;

- + +

dynamic response capabilities to be employed to respond to incidents are defined;

+ - + -

Employ to respond to incidents.

+

Employ to respond to incidents.

The dynamic response capability addresses the timely deployment of new or replacement organizational capabilities in response to incidents. This includes capabilities implemented at the mission and business process level and at the system level.

 -

- are employed to respond to incidents.

+

are employed to respond to incidents.

 @@ -34201,9 +32443,7 @@ - + @@ -34253,20 +32493,18 @@ - -

the time period within which an integrated incident response team can be deployed is defined;

- + +

the time period within which an integrated incident response team can be deployed is defined;

+ - + -

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in .

+

Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in .

An integrated incident response team is a team of experts that assesses, documents, and responds to incidents so that organizational systems and networks can recover quickly and implement the necessary controls to avoid future incidents. Incident response team personnel include forensic and malicious code analysts, tool developers, systems security and privacy engineers, and real-time operations personnel. The incident handling capability includes performing rapid forensic preservation of evidence and analysis of and response to intrusions. For some organizations, the incident response team can be a cross-organizational entity.

@@ -34280,7 +32518,7 @@ -

the integrated incident response team can be deployed to any location identified by the organization in .

+

the integrated incident response team can be deployed to any location identified by the organization in .

 @@ -34311,9 +32549,7 @@ - +

Analyze malicious code and/or other residual artifacts remaining in the system after the incident.

@@ -34376,26 +32612,24 @@ - -

environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined;

- + +

environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined;

+ - + -

Analyze anomalous or suspected adversarial behavior in or related to .

+

Analyze anomalous or suspected adversarial behavior in or related to .

If the organization maintains a deception environment, an analysis of behaviors in that environment, including resources targeted by the adversary and timing of the incident or event, can provide insight into adversarial tactics, techniques, and procedures. External to a deception environment, the analysis of anomalous adversarial behavior (e.g., changes in system performance or usage patterns) or suspected behavior (e.g., changes in searches for the location of specific resources) can give the organization such insight.

 -

anomalous or suspected adversarial behavior in or related to are analyzed.

+

anomalous or suspected adversarial behavior in or related to are analyzed.

 @@ -34437,12 +32671,8 @@ - - + +

Establish and maintain a security operations center.

@@ -34500,9 +32730,7 @@ - + @@ -34556,12 +32784,8 @@ - - + + @@ -34579,7 +32803,7 @@

Track and document incidents.

 -

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

+

Documenting incidents includes maintaining records about each incident, the status of the incident, and other pertinent information necessary for forensics as well as evaluating incident details, trends, and handling. Incident information can be obtained from a variety of sources, including network monitoring, incident reports, incident response teams, user complaints, supply chain partners, audit monitoring, physical access monitoring, and user and administrator reports. IR-4 provides information on the types of incidents that are appropriate for monitoring.

 @@ -34624,50 +32848,40 @@ Automated Tracking, Data Collection, and Analysis - - - + + + - -

automated mechanisms used to track incidents are defined;

- + +

automated mechanisms used to track incidents are defined;

+ - -

automated mechanisms used to collect incident information are defined;

- + +

automated mechanisms used to collect incident information are defined;

+ - -

automated mechanisms used to analyze incident information are defined;

- + +

automated mechanisms used to analyze incident information are defined;

+ - - + + -

Track incidents and collect and analyze incident information using .

+

Track incidents and collect and analyze incident information using .

Automated mechanisms for tracking incidents and collecting and analyzing incident information include Computer Incident Response Centers or other electronic databases of incidents and network monitoring devices.

@@ -34676,15 +32890,15 @@ -

incidents are tracked using ;

+

incidents are tracked using ;

 -

incident information is collected using ;

+

incident information is collected using ;

 -

incident information is analyzed using .

+

incident information is analyzed using .

 @@ -34723,24 +32937,22 @@ - -

time period for personnel to report suspected incidents to the organizational incident response capability is defined;

- + +

time period for personnel to report suspected incidents to the organizational incident response capability is defined;

+ - -

authorities to whom incident information is to be reported are defined;

- + +

authorities to whom incident information is to be reported are defined;

+ - + @@ -34754,11 +32966,11 @@ -

Require personnel to report suspected incidents to the organizational incident response capability within ; and

+

Require personnel to report suspected incidents to the organizational incident response capability within ; and

 -

Report incident information to .

+

Report incident information to .

 @@ -34768,11 +32980,11 @@ -

personnel is/are required to report suspected incidents to the organizational incident response capability within ;

+

personnel is/are required to report suspected incidents to the organizational incident response capability within ;

 -

incident information is reported to .

+

incident information is reported to .

 @@ -34813,27 +33025,25 @@ - -

automated mechanisms used for reporting incidents are defined;

- + +

automated mechanisms used for reporting incidents are defined;

+ - + -

Report incidents using .

+

Report incidents using .

 -

The recipients of incident reports are specified in IR-6b . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.

+

The recipients of incident reports are specified in IR-6b . Automated reporting mechanisms include email, posting on websites (with automatic updates), and automated incident response tools and programs.

 -

incidents are reported using .

+

incidents are reported using .

 @@ -34872,26 +33082,24 @@ - -

personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined;

- + +

personnel or roles to whom system vulnerabilities associated with reported incidents are reported to is/are defined;

+ - + -

Report system vulnerabilities associated with reported incidents to .

+

Report system vulnerabilities associated with reported incidents to .

Reported incidents that uncover system vulnerabilities are analyzed by organizational personnel including system owners, mission and business owners, senior agency information security officers, senior agency officials for privacy, authorizing officials, and the risk executive (function). The analysis can serve to prioritize and initiate mitigation actions to address the discovered system vulnerability.

 -

system vulnerabilities associated with reported incidents are reported to .

+

system vulnerabilities associated with reported incidents are reported to .

 @@ -34930,9 +33138,7 @@ - + @@ -34987,9 +33193,7 @@ - + @@ -35053,26 +33257,24 @@ - -

automated mechanisms used to increase the availability of incident response information and support are defined;

- + +

automated mechanisms used to increase the availability of incident response information and support are defined;

+ - + -

Increase the availability of incident response information and support using .

+

Increase the availability of incident response information and support using .

Automated mechanisms can provide a push or pull capability for users to obtain incident response assistance. For example, individuals may have access to a website to query the assistance capability, or the assistance capability can proactively send incident response information to users (general distribution or targeted) as part of increasing understanding of current response capabilities and support.

 -

the availability of incident response information and support is increased using .

+

the availability of incident response information and support is increased using .

 @@ -35111,9 +33313,7 @@ - + @@ -35165,79 +33365,69 @@ Incident Response Plan - - - + + + - -

personnel or roles that review and approve the incident response plan is/are identified;

- + +

personnel or roles that review and approve the incident response plan is/are identified;

+ - -

the frequency at which to review and approve the incident response plan is defined;

- + +

the frequency at which to review and approve the incident response plan is defined;

+ - -

entities, personnel, or roles with designated responsibility for incident response are defined;

- + +

entities, personnel, or roles with designated responsibility for incident response are defined;

+ - + - -

incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;

- + +

incident response personnel (identified by name and/or by role) to whom copies of the incident response plan are to be distributed is/are defined;

+ - -

organizational elements to which copies of the incident response plan are to be distributed are defined;

- + +

organizational elements to which copies of the incident response plan are to be distributed are defined;

+ - -

incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;

- + +

incident response personnel (identified by name and/or by role) to whom changes to the incident response plan is/are communicated are defined;

+ - -

organizational elements to which changes to the incident response plan are communicated are defined;

- + +

organizational elements to which changes to the incident response plan are communicated are defined;

+ - + @@ -35290,17 +33480,16 @@ -

Is reviewed and approved by - ; and

+

Is reviewed and approved by ; and

 -

Explicitly designates responsibility for incident response to .

+

Explicitly designates responsibility for incident response to .

 -

Distribute copies of the incident response plan to ;

+

Distribute copies of the incident response plan to ;

 @@ -35308,7 +33497,7 @@ -

Communicate incident response plan changes to ; and

+

Communicate incident response plan changes to ; and

 @@ -35356,23 +33545,22 @@ -

an incident response plan is developed that is reviewed and approved by - ;

+

an incident response plan is developed that is reviewed and approved by ;

 -

an incident response plan is developed that explicitly designates responsibility for incident response to .

+

an incident response plan is developed that explicitly designates responsibility for incident response to .

 -

copies of the incident response plan are distributed to ;

+

copies of the incident response plan are distributed to ;

 -

copies of the incident response plan are distributed to ;

+

copies of the incident response plan are distributed to ;

 @@ -35383,11 +33571,11 @@ -

incident response plan changes are communicated to ;

+

incident response plan changes are communicated to ;

 -

incident response plan changes are communicated to ;

+

incident response plan changes are communicated to ;

 @@ -35435,9 +33623,7 @@ - + @@ -35514,32 +33700,30 @@ - -

personnel or roles assigned the responsibility for responding to information spills is/are defined;

- + +

personnel or roles assigned the responsibility for responding to information spills is/are defined;

+ - -

personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;

- + +

personnel or roles to be alerted of the information spill using a method of communication not associated with the spill is/are defined;

+ - -

actions to be performed are defined;

- + +

actions to be performed are defined;

+ - + @@ -35552,7 +33736,7 @@

Respond to information spills by:

-

Assigning with responsibility for responding to information spills;

+

Assigning with responsibility for responding to information spills;

 @@ -35560,7 +33744,7 @@ -

Alerting of the information spill using a method of communication not associated with the spill;

+

Alerting of the information spill using a method of communication not associated with the spill;

 @@ -35576,7 +33760,7 @@ -

Performing the following additional actions: .

+

Performing the following additional actions: .

 @@ -35586,8 +33770,7 @@ -

- is/are assigned the responsibility to respond to information spills;

+

is/are assigned the responsibility to respond to information spills;

 @@ -35595,8 +33778,7 @@ -

- is/are alerted of the information spill using a method of communication not associated with the spill;

+

is/are alerted of the information spill using a method of communication not associated with the spill;

 @@ -35612,8 +33794,7 @@ -

- are performed in response to information spills.

+

are performed in response to information spills.

 @@ -35660,30 +33841,28 @@ - -

frequency at which to provide information spillage response training is defined;

- + +

frequency at which to provide information spillage response training is defined;

+ - + -

Provide information spillage response training .

+

Provide information spillage response training .

Organizations establish requirements for responding to information spillage incidents in incident response plans. Incident response training on a regular basis helps to ensure that organizational personnel understand their individual responsibilities and what specific actions to take when spillage incidents occur.

 -

information spillage response training is provided .

+

information spillage response training is provided .

 @@ -35714,27 +33893,24 @@ - -

procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;

- + +

procedures to be implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions are defined;

+ - + -

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: .

+

Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions: .

Corrective actions for systems contaminated due to information spillages may be time-consuming. Personnel may not have access to the contaminated systems while corrective actions are being taken, which may potentially affect their ability to conduct organizational business.

 -

- are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

+

are implemented to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions.

 @@ -35770,27 +33946,24 @@ - -

controls employed for personnel exposed to information not within assigned access authorizations are defined;

- + +

controls employed for personnel exposed to information not within assigned access authorizations are defined;

+ - + -

Employ the following controls for personnel exposed to information not within assigned access authorizations: .

+

Employ the following controls for personnel exposed to information not within assigned access authorizations: .

Controls include ensuring that personnel who are exposed to spilled information are made aware of the laws, executive orders, directives, regulations, policies, standards, and guidelines regarding the information and the restrictions imposed based on exposure to such information.

 -

- are employed for personnel exposed to information not within assigned access authorizations.

+

are employed for personnel exposed to information not within assigned access authorizations.

 @@ -35837,27 +34010,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the maintenance policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the maintenance policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the maintenance procedures are to be disseminated is/are defined;

+ @@ -35872,51 +34041,47 @@ - -

an official to manage the maintenance policy and procedures is defined;

- + +

an official to manage the maintenance policy and procedures is defined;

+ - -

the frequency with which the current maintenance policy is reviewed and updated is defined;

- + +

the frequency with which the current maintenance policy is reviewed and updated is defined;

+ - -

events that would require the current maintenance policy to be reviewed and updated are defined;

- + +

events that would require the current maintenance policy to be reviewed and updated are defined;

+ - -

the frequency with which the current maintenance procedures are reviewed and updated is defined;

- + +

the frequency with which the current maintenance procedures are reviewed and updated is defined;

+ - -

events that would require the maintenance procedures to be reviewed and updated are defined;

- + +

events that would require the maintenance procedures to be reviewed and updated are defined;

+ - - + + @@ -35928,11 +34093,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- maintenance policy that:

+

maintenance policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -35949,18 +34113,18 @@ -

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the maintenance policy and procedures; and

Review and update the current maintenance:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -35977,7 +34141,7 @@ -

the maintenance policy is disseminated to ;

+

the maintenance policy is disseminated to ;

 @@ -35985,7 +34149,7 @@ -

the maintenance procedures are disseminated to ;

+

the maintenance procedures are disseminated to ;

 @@ -35993,42 +34157,42 @@ -

the maintenance policy addresses purpose;

+

the maintenance policy addresses purpose;

 -

the maintenance policy addresses scope;

+

the maintenance policy addresses scope;

 -

the maintenance policy addresses roles;

+

the maintenance policy addresses roles;

 -

the maintenance policy addresses responsibilities;

+

the maintenance policy addresses responsibilities;

 -

the maintenance policy addresses management commitment;

+

the maintenance policy addresses management commitment;

 -

the maintenance policy addresses coordination among organizational entities;

+

the maintenance policy addresses coordination among organizational entities;

 -

the maintenance policy addresses compliance;

+

the maintenance policy addresses compliance;

 -

the maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the maintenance policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the maintenance policy and procedures;

 @@ -36036,22 +34200,22 @@ -

the current maintenance policy is reviewed and updated ;

+

the current maintenance policy is reviewed and updated ;

 -

the current maintenance policy is reviewed and updated following ;

+

the current maintenance policy is reviewed and updated following ;

 -

the current maintenance procedures are reviewed and updated ;

+

the current maintenance procedures are reviewed and updated ;

 -

the current maintenance procedures are reviewed and updated following .

+

the current maintenance procedures are reviewed and updated following .

 @@ -36082,32 +34246,30 @@ - -

personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;

- + +

personnel or roles required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance or repairs is/are defined;

+ - -

information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;

- + +

information to be removed from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement is defined;

+ - -

information to be included in organizational maintenance records is defined;

- + +

information to be included in organizational maintenance records is defined;

+ - + @@ -36133,11 +34295,11 @@ -

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+

Require that explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

 -

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

+

Sanitize equipment to remove the following information from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement: ;

 @@ -36145,7 +34307,7 @@ -

Include the following information in organizational maintenance records: .

+

Include the following information in organizational maintenance records: .

 @@ -36181,12 +34343,11 @@ -

- is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

+

is/are required to explicitly approve the removal of the system or system components from organizational facilities for off-site maintenance, repair, or replacement;

 -

equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;

+

equipment is sanitized to remove from associated media prior to removal from organizational facilities for off-site maintenance, repair, or replacement;

 @@ -36194,8 +34355,7 @@ -

- is included in organizational maintenance records.

+

is included in organizational maintenance records.

 @@ -36243,50 +34403,42 @@ Automated Maintenance Activities - - - + + + - -

automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;

- + +

automated mechanisms used to schedule maintenance, repair, and replacement actions for the system are defined;

+ - -

automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;

- + +

automated mechanisms used to conduct maintenance, repair, and replacement actions for the system are defined;

+ - -

automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;

- + +

automated mechanisms used to document maintenance, repair, and replacement actions for the system are defined;

+ - + -

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using ; and

+

Schedule, conduct, and document maintenance, repair, and replacement actions for the system using ; and

 @@ -36302,18 +34454,15 @@ -

- are used to schedule maintenance, repair, and replacement actions for the system;

+

are used to schedule maintenance, repair, and replacement actions for the system;

 -

- are used to conduct maintenance, repair, and replacement actions for the system;

+

are used to conduct maintenance, repair, and replacement actions for the system;

 -

- are used to document maintenance, repair, and replacement actions for the system;

+

are used to document maintenance, repair, and replacement actions for the system;

 @@ -36370,16 +34519,14 @@ - -

frequency at which to review previously approved system maintenance tools is defined;

- + +

frequency at which to review previously approved system maintenance tools is defined;

+ - + @@ -36390,13 +34537,11 @@ -

Review previously approved system maintenance tools .

+

Review previously approved system maintenance tools .

 -

Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, - ls, - ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

+

Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with maintenance tools that are not within system authorization boundaries and are used specifically for diagnostic and repair actions on organizational systems. Organizations have flexibility in determining roles for the approval of maintenance tools and how that approval is documented. A periodic review of maintenance tools facilitates the withdrawal of approval for outdated, unsupported, irrelevant, or no-longer-used tools. Maintenance tools can include hardware, software, and firmware items and may be pre-installed, brought in with maintenance personnel on media, cloud-based, or downloaded from a website. Such tools can be vehicles for transporting malicious code, either intentionally or unintentionally, into a facility and subsequently into systems. Maintenance tools can include hardware and software diagnostic test equipment and packet sniffers. The hardware and software components that support maintenance and are a part of the system (including the software implementing utilities such as ping, ls, ipconfig, or the hardware and software implementing the monitoring port of an Ethernet switch) are not addressed by maintenance tools.

 @@ -36417,7 +34562,7 @@ -

previously approved system maintenance tools are reviewed .

+

previously approved system maintenance tools are reviewed .

 @@ -36453,9 +34598,7 @@ - + @@ -36503,9 +34646,7 @@ - + @@ -36553,16 +34694,14 @@ - -

personnel or roles who can authorize removal of equipment from the facility is/are defined;

- + +

personnel or roles who can authorize removal of equipment from the facility is/are defined;

+ - + @@ -36581,7 +34720,7 @@ -

Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

+

Obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

 @@ -36603,7 +34742,7 @@ -

the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

+

the removal of maintenance equipment containing organizational information is prevented by obtaining an exemption from explicitly authorizing removal of the equipment from the facility.

 @@ -36645,12 +34784,8 @@ - - + + @@ -36701,12 +34836,8 @@ - - + + @@ -36757,12 +34888,8 @@ - - + + @@ -36815,9 +34942,7 @@ - + @@ -36861,7 +34986,7 @@ -

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

+

Nonlocal maintenance and diagnostic activities are conducted by individuals who communicate through either an external or internal network. Local maintenance and diagnostic activities are carried out by individuals who are physically present at the system location and not communicating across a network connection. Authentication techniques used to establish nonlocal maintenance and diagnostic sessions reflect the network access requirements in IA-2 . Strong authentication requires authenticators that are resistant to replay attacks and employ multi-factor authentication. Strong authenticators include PKI where certificates are stored on a token protected by a password, passphrase, or biometric. Enforcing requirements in MA-4 is accomplished, in part, by other controls. SP 800-63B provides additional guidance on strong authentication and authenticators.

 @@ -36946,41 +35071,35 @@ Logging and Review - - + + - -

audit events to be logged for nonlocal maintenance are defined;

- + +

audit events to be logged for nonlocal maintenance are defined;

+ - -

audit events to be logged for diagnostic sessions are defined;

- + +

audit events to be logged for diagnostic sessions are defined;

+ - + -

Log for nonlocal maintenance and diagnostic sessions; and

+

Log for nonlocal maintenance and diagnostic sessions; and

 @@ -36988,7 +35107,7 @@ -

Audit logging for nonlocal maintenance is enforced by AU-2 . Audit events are defined in AU-2a.

+

Audit logging for nonlocal maintenance is enforced by AU-2 . Audit events are defined in AU-2a.

 @@ -36996,13 +35115,11 @@ -

- are logged for nonlocal maintenance sessions;

+

are logged for nonlocal maintenance sessions;

 -

- are logged for nonlocal diagnostic sessions;

+

are logged for nonlocal diagnostic sessions;

 @@ -37066,9 +35183,7 @@ - + @@ -37158,22 +35273,20 @@ - -

authenticators that are replay resistant are defined;

- + +

authenticators that are replay resistant are defined;

+ - +

Protect nonlocal maintenance sessions by:

-

Employing ; and

+

Employing ; and

 @@ -37195,7 +35308,7 @@ -

nonlocal maintenance sessions are protected by employing ;

+

nonlocal maintenance sessions are protected by employing ;

 @@ -37249,34 +35362,32 @@ - -

personnel or roles required to approve each nonlocal maintenance session is/are defined;

- + +

personnel or roles required to approve each nonlocal maintenance session is/are defined;

+ - -

personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined;

- + +

personnel and roles to be notified of the date and time of planned nonlocal maintenance is/are defined;

+ - + -

Require the approval of each nonlocal maintenance session by ; and

+

Require the approval of each nonlocal maintenance session by ; and

 -

Notify the following personnel or roles of the date and time of planned nonlocal maintenance: .

+

Notify the following personnel or roles of the date and time of planned nonlocal maintenance: .

 @@ -37286,12 +35397,11 @@ -

the approval of each nonlocal maintenance session is required by ;

+

the approval of each nonlocal maintenance session is required by ;

 -

- is/are notified of the date and time of planned nonlocal maintenance.

+

is/are notified of the date and time of planned nonlocal maintenance.

 @@ -37332,25 +35442,21 @@ - -

cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined;

- + +

cryptographic mechanisms to be implemented to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications are defined;

+ - - + + -

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: .

+

Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: .

Failure to protect nonlocal maintenance and diagnostic communications can result in unauthorized individuals gaining access to organizational information. Unauthorized access during remote maintenance sessions can result in a variety of hostile actions, including malicious code insertion, unauthorized changes to system parameters, and exfiltration of organizational information. Such actions can result in the loss or degradation of mission or business capabilities.

@@ -37359,13 +35465,11 @@ -

- are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;

+

are implemented to protect the integrity of nonlocal maintenance and diagnostic communications;

 -

- are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.

+

are implemented to protect the confidentiality of nonlocal maintenance and diagnostic communications.

 @@ -37407,9 +35511,7 @@ - + @@ -37470,9 +35572,7 @@ - + @@ -37500,7 +35600,7 @@ -

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

+

Maintenance personnel refers to individuals who perform hardware or software maintenance on organizational systems, while PE-2 addresses physical access for individuals whose maintenance duties place them within the physical protection perimeter of the systems. Technical competence of supervising individuals relates to the maintenance performed on the systems, while having required access authorizations refers to maintenance on and near the systems. Individuals not previously identified as authorized maintenance personnel—such as information technology manufacturers, vendors, systems integrators, and consultants—may require privileged access to organizational systems, such as when they are required to conduct maintenance activities with little or no notice. Based on organizational assessments of risk, organizations may issue temporary credentials to these individuals. Temporary credentials may be for one-time use or for very limited time periods.

 @@ -37561,16 +35661,14 @@ - -

alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;

- + +

alternate controls to be developed and implemented in the event that a system component cannot be sanitized, removed, or disconnected from the system are defined;

+ - + @@ -37589,7 +35687,7 @@ -

Develop and implement in the event a system component cannot be sanitized, removed, or disconnected from the system.

+

Develop and implement in the event a system component cannot be sanitized, removed, or disconnected from the system.

 @@ -37610,8 +35708,7 @@ -

- are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.

+

are developed and implemented in the event that a system cannot be sanitized, removed, or disconnected from the system.

 @@ -37656,9 +35753,7 @@ - + @@ -37716,9 +35811,7 @@ - + @@ -37761,9 +35854,7 @@ - + @@ -37842,9 +35933,7 @@ - +

Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.

@@ -37890,24 +35979,22 @@ - -

system components for which maintenance support and/or spare parts are obtained are defined;

- + +

system components for which maintenance support and/or spare parts are obtained are defined;

+ - -

time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;

- + +

time period within which maintenance support and/or spare parts are to be obtained after a failure are defined;

+ - + @@ -37918,14 +36005,14 @@ -

Obtain maintenance support and/or spare parts for within of failure.

+

Obtain maintenance support and/or spare parts for within of failure.

Organizations specify the system components that result in increased risk to organizational operations and assets, individuals, other organizations, or the Nation when the functionality provided by those components is not operational. Organizational actions to obtain maintenance support include having appropriate contracts in place.

 -

maintenance support and/or spare parts are obtained for within of failure.

+

maintenance support and/or spare parts are obtained for within of failure.

 @@ -37963,34 +36050,32 @@ - -

system components on which preventive maintenance is to be performed are defined;

- + +

system components on which preventive maintenance is to be performed are defined;

+ - -

time intervals within which preventive maintenance is to be performed on system components are defined;

- + +

time intervals within which preventive maintenance is to be performed on system components are defined;

+ - + -

Perform preventive maintenance on at .

+

Perform preventive maintenance on at .

Preventive maintenance includes proactive care and the servicing of system components to maintain organizational equipment and facilities in satisfactory operating condition. Such maintenance provides for the systematic inspection, tests, measurements, adjustments, parts replacement, detection, and correction of incipient failures either before they occur or before they develop into major defects. The primary goal of preventive maintenance is to avoid or mitigate the consequences of equipment failures. Preventive maintenance is designed to preserve and restore equipment reliability by replacing worn components before they fail. Methods of determining what preventive (or other) failure management policies to apply include original equipment manufacturer recommendations; statistical failure records; expert opinion; maintenance that has already been conducted on similar equipment; requirements of codes, laws, or regulations within a jurisdiction; or measured values and performance indications.

 -

preventive maintenance is performed on at .

+

preventive maintenance is performed on at .

 @@ -38030,34 +36115,32 @@ - -

system components on which predictive maintenance is to be performed are defined;

- + +

system components on which predictive maintenance is to be performed are defined;

+ - -

time intervals within which predictive maintenance is to be performed are defined;

- + +

time intervals within which predictive maintenance is to be performed are defined;

+ - + -

Perform predictive maintenance on at .

+

Perform predictive maintenance on at .

Predictive maintenance evaluates the condition of equipment by performing periodic or continuous (online) equipment condition monitoring. The goal of predictive maintenance is to perform maintenance at a scheduled time when the maintenance activity is most cost-effective and before the equipment loses performance within a threshold. The predictive component of predictive maintenance stems from the objective of predicting the future trend of the equipment's condition. The predictive maintenance approach employs principles of statistical process control to determine at what point in the future maintenance activities will be appropriate. Most predictive maintenance inspections are performed while equipment is in service, thus minimizing disruption of normal system operations. Predictive maintenance can result in substantial cost savings and higher system reliability.

 -

predictive maintenance is performed on at .

+

predictive maintenance is performed on at .

 @@ -38097,26 +36180,24 @@ - -

automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined;

- + +

automated mechanisms used to transfer predictive maintenance data to a maintenance management system are defined;

+ - + -

Transfer predictive maintenance data to a maintenance management system using .

+

Transfer predictive maintenance data to a maintenance management system using .

A computerized maintenance management system maintains a database of information about the maintenance operations of organizations and automates the processing of equipment condition data to trigger maintenance planning, execution, and reporting.

 -

predictive maintenance data is transferred to a maintenance management system using .

+

predictive maintenance data is transferred to a maintenance management system using .

 @@ -38157,36 +36238,34 @@ - -

systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined;

- + +

systems or system components on which field maintenance is restricted or prohibited to trusted maintenance facilities are defined;

+ - -

trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined;

- + +

trusted maintenance facilities that are not restricted or prohibited from conducting field maintenance are defined;

+ - + -

Restrict or prohibit field maintenance on to .

+

Restrict or prohibit field maintenance on to .

Field maintenance is the type of maintenance conducted on a system or system component after the system or component has been deployed to a specific site (i.e., operational environment). In certain instances, field maintenance (i.e., local maintenance at the site) may not be executed with the same degree of rigor or with the same quality control checks as depot maintenance. For critical systems designated as such by the organization, it may be necessary to restrict or prohibit field maintenance at the local site and require that such maintenance be conducted in trusted facilities with additional controls.

 -

field maintenance on are restricted or prohibited to .

+

field maintenance on are restricted or prohibited to .

 @@ -38228,27 +36307,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the media protection policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the media protection policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the media protection procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the media protection procedures are to be disseminated is/are defined;

+ @@ -38263,51 +36338,47 @@ - -

an official to manage the media protection policy and procedures is defined;

- + +

an official to manage the media protection policy and procedures is defined;

+ - -

the frequency with which the current media protection policy is reviewed and updated is defined;

- + +

the frequency with which the current media protection policy is reviewed and updated is defined;

+ - -

events that would require the current media protection policy to be reviewed and updated are defined;

- + +

events that would require the current media protection policy to be reviewed and updated are defined;

+ - -

the frequency with which the current media protection procedures are reviewed and updated is defined;

- + +

the frequency with which the current media protection procedures are reviewed and updated is defined;

+ - -

events that would require media protection procedures to be reviewed and updated are defined;

- + +

events that would require media protection procedures to be reviewed and updated are defined;

+ - - + + @@ -38319,11 +36390,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- media protection policy that:

+

media protection policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -38340,18 +36410,18 @@ -

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the media protection policy and procedures; and

Review and update the current media protection:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -38368,7 +36438,7 @@ -

the media protection policy is disseminated to ;

+

the media protection policy is disseminated to ;

 @@ -38376,7 +36446,7 @@ -

the media protection procedures are disseminated to ;

+

the media protection procedures are disseminated to ;

 @@ -38384,31 +36454,31 @@ -

the media protection policy addresses purpose;

+

the media protection policy addresses purpose;

 -

the media protection policy addresses scope;

+

the media protection policy addresses scope;

 -

the media protection policy addresses roles;

+

the media protection policy addresses roles;

 -

the media protection policy addresses responsibilities;

+

the media protection policy addresses responsibilities;

 -

the media protection policy addresses management commitment;

+

the media protection policy addresses management commitment;

 -

the media protection policy addresses coordination among organizational entities;

+

the media protection policy addresses coordination among organizational entities;

 -

the media protection policy compliance;

+

the media protection policy compliance;

 @@ -38419,7 +36489,7 @@ -

the is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.

+

the is designated to manage the development, documentation, and dissemination of the media protection policy and procedures.

 @@ -38427,22 +36497,22 @@ -

the current media protection policy is reviewed and updated ;

+

the current media protection policy is reviewed and updated ;

-

the current media protection policy is reviewed and updated following ;

+

the current media protection policy is reviewed and updated following ;

 -

the current media protection procedures are reviewed and updated ;

+

the current media protection procedures are reviewed and updated ;

-

the current media protection procedures are reviewed and updated following .

+

the current media protection procedures are reviewed and updated following .

 @@ -38470,57 +36540,47 @@ Media Access - - + + - - + + - -

types of digital media to which access is restricted are defined;

- + +

types of digital media to which access is restricted are defined;

+ - -

personnel or roles authorized to access digital media is/are defined;

- + +

personnel or roles authorized to access digital media is/are defined;

+ - -

types of non-digital media to which access is restricted are defined;

- + +

types of non-digital media to which access is restricted are defined;

+ - -

personnel or roles authorized to access non-digital media is/are defined;

- + +

personnel or roles authorized to access non-digital media is/are defined;

+ - + @@ -38539,7 +36599,7 @@ -

Restrict access to to .

+

Restrict access to to .

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Denying access to patient medical records in a community hospital unless the individuals seeking access to such records are authorized healthcare providers is an example of restricting access to non-digital media. Limiting access to the design specifications stored on compact discs in the media library to individuals on the system development team is an example of restricting access to digital media.

@@ -38548,11 +36608,11 @@ -

access to is restricted to ;

+

access to is restricted to ;

 -

access to is restricted to .

+

access to is restricted to .

 @@ -38610,24 +36670,22 @@ - -

types of system media exempt from marking when remaining in controlled areas are defined;

- + +

types of system media exempt from marking when remaining in controlled areas are defined;

+ - -

controlled areas where media is exempt from marking are defined;

- + +

controlled areas where media is exempt from marking are defined;

+ - + @@ -38643,11 +36701,11 @@ -

Exempt from marking if the media remain within .

+

Exempt from marking if the media remain within .

 -

Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

+

Security marking refers to the application or use of human-readable security attributes. Digital media includes diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state, magnetic), flash drives, compact discs, and digital versatile discs. Non-digital media includes paper and microfilm. Controlled unclassified information is defined by the National Archives and Records Administration along with the appropriate safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 . Security markings are generally not required for media that contains information determined by organizations to be in the public domain or to be publicly releasable. Some organizations may require markings for public information indicating that the information is publicly releasable. System media marking reflects applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

 @@ -38657,8 +36715,7 @@ -

- remain within .

+

remain within .

 @@ -38694,77 +36751,63 @@ Media Storage - - - - + + + + - - + + - -

types of digital media to be physically controlled are defined (if selected);

- + +

types of digital media to be physically controlled are defined (if selected);

+ - -

types of non-digital media to be physically controlled are defined (if selected);

- + +

types of non-digital media to be physically controlled are defined (if selected);

+ - -

types of digital media to be securely stored are defined (if selected);

- + +

types of digital media to be securely stored are defined (if selected);

+ - -

types of non-digital media to be securely stored are defined (if selected);

- + +

types of non-digital media to be securely stored are defined (if selected);

+ - -

controlled areas within which to securely store digital media are defined;

- + +

controlled areas within which to securely store digital media are defined;

+ - -

controlled areas within which to securely store non-digital media are defined;

- + +

controlled areas within which to securely store non-digital media are defined;

+ - + @@ -38790,7 +36833,7 @@ -

Physically control and securely store within ; and

+

Physically control and securely store within ; and

 @@ -38806,23 +36849,19 @@ -

- are physically controlled;

+

are physically controlled;

 -

- are physically controlled;

+

are physically controlled;

 -

- are securely stored within ;

+

are securely stored within ;

 -

- are securely stored within ;

+

are securely stored within ;

 @@ -38871,44 +36910,36 @@ Automated Restricted Access - - - + + + - -

automated mechanisms to restrict access to media storage areas are defined;

- + +

automated mechanisms to restrict access to media storage areas are defined;

+ - -

automated mechanisms to log access attempts to media storage areas are defined;

- + +

automated mechanisms to log access attempts to media storage areas are defined;

+ - -

automated mechanisms to log access granted to media storage areas are defined;

- + +

automated mechanisms to log access granted to media storage areas are defined;

+ - + @@ -38917,7 +36948,7 @@ -

Restrict access to media storage areas and log access attempts and access granted using .

+

Restrict access to media storage areas and log access attempts and access granted using .

Automated mechanisms include keypads, biometric readers, or card readers on the external entries to media storage areas.

@@ -38926,15 +36957,15 @@ -

access to media storage areas is restricted using ;

+

access to media storage areas is restricted using ;

 -

access attempts to media storage areas are logged using ;

+

access attempts to media storage areas are logged using ;

 -

access granted to media storage areas is logged using .

+

access granted to media storage areas is logged using .

 @@ -38977,42 +37008,36 @@ Media Transport - - + + - -

types of system media to protect and control during transport outside of controlled areas are defined;

- + +

types of system media to protect and control during transport outside of controlled areas are defined;

+ - -

controls used to protect system media outside of controlled areas are defined;

- + +

controls used to protect system media outside of controlled areas are defined;

+ - -

controls used to control system media outside of controlled areas are defined;

- + +

controls used to control system media outside of controlled areas are defined;

+ - + @@ -39031,7 +37056,7 @@ -

Protect and control during transport outside of controlled areas using ;

+

Protect and control during transport outside of controlled areas using ;

 @@ -39047,7 +37072,7 @@ -

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

+

System media includes digital and non-digital media. Digital media includes flash drives, diskettes, magnetic tapes, external or removable hard disk drives (e.g., solid state and magnetic), compact discs, and digital versatile discs. Non-digital media includes microfilm and paper. Controlled areas are spaces for which organizations provide physical or procedural controls to meet requirements established for protecting information and systems. Controls to protect media during transport include cryptography and locked containers. Cryptographic mechanisms can provide confidentiality and integrity protections depending on the mechanisms implemented. Activities associated with media transport include releasing media for transport, ensuring that media enters the appropriate transport processes, and the actual transport. Authorized transport and courier personnel may include individuals external to the organization. Maintaining accountability of media during transport includes restricting transport activities to authorized personnel and tracking and/or obtaining records of transport activities as the media moves through the transportation system to prevent and detect loss, destruction, or tampering. Organizations establish documentation requirements for activities associated with the transport of system media in accordance with organizational assessments of risk. Organizations maintain the flexibility to define record-keeping methods for the different types of media transport as part of a system of transport-related records.

 @@ -39055,13 +37080,11 @@ -

- are protected during transport outside of controlled areas using ;

+

are protected during transport outside of controlled areas using ;

 -

- are controlled during transport outside of controlled areas using ;

+

are controlled during transport outside of controlled areas using ;

 @@ -39137,9 +37160,7 @@ - +

Employ an identified custodian during transport of system media outside of controlled areas.

@@ -39199,77 +37220,63 @@ Media Sanitization - - - + + + - - - + + + - -

system media to be sanitized prior to disposal is defined;

- + +

system media to be sanitized prior to disposal is defined;

+ - -

system media to be sanitized prior to release from organizational control is defined;

- + +

system media to be sanitized prior to release from organizational control is defined;

+ - -

system media to be sanitized prior to release for reuse is defined;

- + +

system media to be sanitized prior to release for reuse is defined;

+ - -

sanitization techniques and procedures to be used for sanitization prior to disposal are defined;

- + +

sanitization techniques and procedures to be used for sanitization prior to disposal are defined;

+ - -

sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;

- + +

sanitization techniques and procedures to be used for sanitization prior to release from organizational control are defined;

+ - -

sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

- + +

sanitization techniques and procedures to be used for sanitization prior to release for reuse are defined;

+ - + @@ -39295,7 +37302,7 @@ -

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

+

Sanitize prior to disposal, release out of organizational control, or release for reuse using ; and

 @@ -39311,18 +37318,15 @@ -

- is sanitized using prior to disposal;

+

is sanitized using prior to disposal;

 -

- is sanitized using prior to release from organizational control;

+

is sanitized using prior to release from organizational control;

 -

- is sanitized using prior to release for reuse;

+

is sanitized using prior to release for reuse;

 @@ -39371,9 +37375,7 @@ - +

Review, approve, track, document, and verify media sanitization and disposal actions.

@@ -39446,37 +37448,31 @@ Equipment Testing - - + + - -

frequency with which to test sanitization equipment is defined;

- + +

frequency with which to test sanitization equipment is defined;

+ - -

frequency with which to test sanitization procedures is defined;

- + +

frequency with which to test sanitization procedures is defined;

+ - + -

Test sanitization equipment and procedures to ensure that the intended sanitization is being achieved.

+

Test sanitization equipment and procedures to ensure that the intended sanitization is being achieved.

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities, including federal agencies or external service providers.

@@ -39485,11 +37481,11 @@ -

sanitization equipment is tested to ensure that the intended sanitization is being achieved;

+

sanitization equipment is tested to ensure that the intended sanitization is being achieved;

 -

sanitization procedures are tested to ensure that the intended sanitization is being achieved.

+

sanitization procedures are tested to ensure that the intended sanitization is being achieved.

 @@ -39532,31 +37528,27 @@ Nondestructive Techniques - + - -

circumstances requiring sanitization of portable storage devices are defined;

- + +

circumstances requiring sanitization of portable storage devices are defined;

+ - + -

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: .

+

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: .

Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.

 -

non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under .

+

non-destructive sanitization techniques are applied to portable storage devices prior to connecting such devices to the system under .

 @@ -39619,28 +37611,26 @@ - -

system media to be sanitized using dual authorization is defined;

- + +

system media to be sanitized using dual authorization is defined;

+ - + -

Enforce dual authorization for the sanitization of .

+

Enforce dual authorization for the sanitization of .

Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals.

 -

dual authorization for sanitization of is enforced.

+

dual authorization for sanitization of is enforced.

 @@ -39682,45 +37672,40 @@ - -

systems or system components to purge or wipe information either remotely or under specific conditions are defined;

- + +

systems or system components to purge or wipe information either remotely or under specific conditions are defined;

+ - -

conditions under which information is to be purged or wiped are defined (if selected);

- + +

conditions under which information is to be purged or wiped are defined (if selected);

+ - + -

Provide the capability to purge or wipe information from - .

+

Provide the capability to purge or wipe information from .

Remote purging or wiping of information protects information on organizational systems and system components if systems or components are obtained by unauthorized individuals. Remote purge or wipe commands require strong authentication to help mitigate the risk of unauthorized individuals purging or wiping the system, component, or device. The purge or wipe function can be implemented in a variety of ways, including by overwriting data or information multiple times or by destroying the key necessary to decrypt encrypted data.

 -

the capability to purge or wipe information from - is provided.

+

the capability to purge or wipe information from is provided.

 @@ -39762,9 +37747,9 @@ - -

types of system media to be restricted or prohibited from use on systems or system components are defined;

- + +

types of system media to be restricted or prohibited from use on systems or system components are defined;

+ @@ -39778,24 +37763,22 @@ - -

systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;

- + +

systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;

+ - -

controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

- + +

controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;

+ - + @@ -39807,8 +37790,7 @@ -

- the use of on using ; and

+

the use of on using ; and

 @@ -39816,13 +37798,13 @@ -

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

+

System media includes both digital and non-digital media. Digital media includes diskettes, magnetic tapes, flash drives, compact discs, digital versatile discs, and removable hard disk drives. Non-digital media includes paper and microfilm. Media use protections also apply to mobile devices with information storage capabilities. In contrast to MP-2 , which restricts user access to media, MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations use technical and nontechnical controls to restrict the use of system media. Organizations may restrict the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may restrict the use of portable storage devices based on the type of device, such as by prohibiting the use of writeable, portable storage devices and implementing this restriction by disabling or removing the capability to write to such devices. Requiring identifiable owners for storage devices reduces the risk of using such devices by allowing organizations to assign responsibility for addressing known vulnerabilities in the devices.

 -

the use of is on using ;

+

the use of is on using ;

 @@ -39874,9 +37856,7 @@ - + @@ -39934,30 +37914,28 @@ - -

a system media downgrading process is defined;

- + +

a system media downgrading process is defined;

+ - -

system media requiring downgrading is defined;

- + +

system media requiring downgrading is defined;

+ - + -

Establish that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;

+

Establish that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;

 @@ -39965,7 +37943,7 @@ -

Identify ; and

+

Identify ; and

 @@ -39981,11 +37959,11 @@ -

a is established;

+

a is established;

 -

the includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;

+

the includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;

 @@ -40001,12 +37979,11 @@ -

- is identified;

+

is identified;

 -

the identified system media is downgraded using the .

+

the identified system media is downgraded using the .

 @@ -40045,9 +38022,7 @@ - +

Document system media downgrading actions.

@@ -40094,37 +38069,31 @@ Equipment Testing - - + + - -

the frequency with which to test downgrading equipment is defined;

- + +

the frequency with which to test downgrading equipment is defined;

+ - -

the frequency with which to test downgrading procedures is defined;

- + +

the frequency with which to test downgrading procedures is defined;

+ - + -

Test downgrading equipment and procedures to ensure that downgrading actions are being achieved.

+

Test downgrading equipment and procedures to ensure that downgrading actions are being achieved.

None.

@@ -40133,11 +38102,11 @@ -

downgrading equipment is tested to ensure that downgrading actions are being achieved;

+

downgrading equipment is tested to ensure that downgrading actions are being achieved;

 -

downgrading procedures are tested to ensure that downgrading actions are being achieved.

+

downgrading procedures are tested to ensure that downgrading actions are being achieved.

 @@ -40176,9 +38145,7 @@ - +

Downgrade system media containing controlled unclassified information prior to public release.

@@ -40232,9 +38199,7 @@ - +

Downgrade system media containing classified information prior to release to individuals without required access authorizations.

@@ -40291,27 +38256,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the physical and environmental protection policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the physical and environmental protection procedures are to be disseminated is/are defined;

+ @@ -40326,51 +38287,47 @@ - -

an official to manage the physical and environmental protection policy and procedures is defined;

- + +

an official to manage the physical and environmental protection policy and procedures is defined;

+ - -

the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;

- + +

the frequency at which the current physical and environmental protection policy is reviewed and updated is defined;

+ - -

events that would require the current physical and environmental protection policy to be reviewed and updated are defined;

- + +

events that would require the current physical and environmental protection policy to be reviewed and updated are defined;

+ - -

the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;

- + +

the frequency at which the current physical and environmental protection procedures are reviewed and updated is defined;

+ - -

events that would require the physical and environmental protection procedures to be reviewed and updated are defined;

- + +

events that would require the physical and environmental protection procedures to be reviewed and updated are defined;

+ - - + + @@ -40382,11 +38339,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- physical and environmental protection policy that:

+

physical and environmental protection policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -40403,18 +38359,18 @@ -

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

Review and update the current physical and environmental protection:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -40431,7 +38387,7 @@ -

the physical and environmental protection policy is disseminated to ;

+

the physical and environmental protection policy is disseminated to ;

 @@ -40439,7 +38395,7 @@ -

the physical and environmental protection procedures are disseminated to ;

+

the physical and environmental protection procedures are disseminated to ;

 @@ -40447,42 +38403,42 @@ -

the physical and environmental protection policy addresses purpose;

+

the physical and environmental protection policy addresses purpose;

 -

the physical and environmental protection policy addresses scope;

+

the physical and environmental protection policy addresses scope;

 -

the physical and environmental protection policy addresses roles;

+

the physical and environmental protection policy addresses roles;

 -

the physical and environmental protection policy addresses responsibilities;

+

the physical and environmental protection policy addresses responsibilities;

 -

the physical and environmental protection policy addresses management commitment;

+

the physical and environmental protection policy addresses management commitment;

 -

the physical and environmental protection policy addresses coordination among organizational entities;

+

the physical and environmental protection policy addresses coordination among organizational entities;

 -

the physical and environmental protection policy addresses compliance;

+

the physical and environmental protection policy addresses compliance;

 -

the physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the physical and environmental protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures;

 @@ -40490,22 +38446,22 @@ -

the current physical and environmental protection policy is reviewed and updated ;

+

the current physical and environmental protection policy is reviewed and updated ;

 -

the current physical and environmental protection policy is reviewed and updated following ;

+

the current physical and environmental protection policy is reviewed and updated following ;

 -

the current physical and environmental protection procedures are reviewed and updated ;

+

the current physical and environmental protection procedures are reviewed and updated ;

 -

the current physical and environmental protection procedures are reviewed and updated following .

+

the current physical and environmental protection procedures are reviewed and updated following .

 @@ -40536,16 +38492,14 @@ - -

frequency at which to review the access list detailing authorized facility access by individuals is defined;

- + +

frequency at which to review the access list detailing authorized facility access by individuals is defined;

+ - + @@ -40575,7 +38529,7 @@ -

Review the access list detailing authorized facility access by individuals ; and

+

Review the access list detailing authorized facility access by individuals ; and

 @@ -40608,7 +38562,7 @@ -

the access list detailing authorized facility access by individuals is reviewed ;

+

the access list detailing authorized facility access by individuals is reviewed ;

 @@ -40651,9 +38605,7 @@ - + @@ -40705,29 +38657,27 @@ - -

a list of acceptable forms of identification for visitor access to the facility where the system resides is defined;

- + +

a list of acceptable forms of identification for visitor access to the facility where the system resides is defined;

+ - + -

Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: .

+

Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: .

Acceptable forms of identification include passports, REAL ID-compliant drivers’ licenses, and Personal Identity Verification (PIV) cards. For gaining access to facilities using automated mechanisms, organizations may use PIV cards, key cards, PINs, and biometrics.

 -

two forms of identification are required from for visitor access to the facility where the system resides.

+

two forms of identification are required from for visitor access to the facility where the system resides.

 @@ -40770,37 +38720,33 @@ security clearances for all information contained within the system formal access authorizations for all information contained within the system need for access to all information contained within the system - - - + - -

physical access authorizations for unescorted access to the facility where the system resides are defined (if selected);

- + +

physical access authorizations for unescorted access to the facility where the system resides are defined (if selected);

+ - + -

Restrict unescorted access to the facility where the system resides to personnel with .

+

Restrict unescorted access to the facility where the system resides to personnel with .

Individuals without required security clearances, access approvals, or need to know are escorted by individuals with appropriate physical access authorizations to ensure that information is not exposed or otherwise compromised.

 -

unescorted access to the facility where the system resides is restricted to personnel with .

+

unescorted access to the facility where the system resides is restricted to personnel with .

 @@ -40839,109 +38785,95 @@ Physical Access Control - - + + - + - -

entry and exit points to the facility in which the system resides are defined;

- + +

entry and exit points to the facility in which the system resides are defined;

+ - + - -

physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);

- + +

physical access control systems or devices used to control ingress and egress to the facility are defined (if selected);

+ - -

entry or exit points for which physical access logs are maintained are defined;

- + +

entry or exit points for which physical access logs are maintained are defined;

+ - -

physical access controls to control access to areas within the facility designated as publicly accessible are defined;

- + +

physical access controls to control access to areas within the facility designated as publicly accessible are defined;

+ - + - -

circumstances requiring visitor escorts and control of visitor activity are defined;

- + +

circumstances requiring visitor escorts and control of visitor activity are defined;

+ - -

physical access devices to be inventoried are defined;

- + +

physical access devices to be inventoried are defined;

+ - -

frequency at which to inventory physical access devices is defined;

- + +

frequency at which to inventory physical access devices is defined;

+ - -

frequency at which to change combinations is defined;

- + +

frequency at which to change combinations is defined;

+ - -

frequency at which to change keys is defined;

- + +

frequency at which to change keys is defined;

+ - + @@ -40973,27 +38905,27 @@ -

Enforce physical access authorizations at by:

+

Enforce physical access authorizations at by:

Verifying individual access authorizations before granting access to the facility; and

 -

Controlling ingress and egress to the facility using ;

+

Controlling ingress and egress to the facility using ;

 -

Maintain physical access audit logs for ;

+

Maintain physical access audit logs for ;

 -

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

+

Control access to areas within the facility designated as publicly accessible by implementing the following controls: ;

 -

Escort visitors and control visitor activity ;

+

Escort visitors and control visitor activity ;

 @@ -41001,11 +38933,11 @@ -

Inventory every ; and

+

Inventory every ; and

 -

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

+

Change combinations and keys and/or when keys are lost, combinations are compromised, or when individuals possessing the keys or combinations are transferred or terminated.

 @@ -41017,20 +38949,20 @@ -

physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility;

+

physical access authorizations are enforced at by verifying individual access authorizations before granting access to the facility;

 -

physical access authorizations are enforced at by controlling ingress and egress to the facility using ;

+

physical access authorizations are enforced at by controlling ingress and egress to the facility using ;

 -

physical access audit logs are maintained for ;

+

physical access audit logs are maintained for ;

 -

access to areas within the facility designated as publicly accessible are maintained by implementing ;

+

access to areas within the facility designated as publicly accessible are maintained by implementing ;

 @@ -41040,7 +38972,7 @@ -

visitor activity is controlled ;

+

visitor activity is controlled ;

 @@ -41060,18 +38992,17 @@ -

- are inventoried ;

+

are inventoried ;

 -

combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;

+

combinations are changed , when combinations are compromised, or when individuals possessing the combinations are transferred or terminated;

 -

keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated.

+

keys are changed , when keys are lost, or when individuals possessing the keys are transferred or terminated.

 @@ -41113,24 +39044,20 @@ System Access - + - -

physical spaces containing one or more components of the system are defined;

- + +

physical spaces containing one or more components of the system are defined;

+ - + -

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at .

+

Enforce physical access authorizations to the system in addition to the physical access controls for the facility at .

Control of physical access to the system provides additional physical security for those areas within facilities where there is a concentration of system components.

@@ -41143,7 +39070,7 @@ -

physical access controls are enforced for the facility at .

+

physical access controls are enforced for the facility at .

 @@ -41185,28 +39112,26 @@ - -

the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined;

- + +

the frequency at which to perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components is defined;

+ - + -

Perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

+

Perform security checks at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

Organizations determine the extent, frequency, and/or randomness of security checks to adequately mitigate risk associated with exfiltration.

 -

security checks are performed at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

+

security checks are performed at the physical perimeter of the facility or system for exfiltration of information or removal of system components.

 @@ -41248,29 +39173,27 @@ - -

physical access points to the facility where the system resides are defined;

- + +

physical access points to the facility where the system resides are defined;

+ - + -

Employ guards to control to the facility where the system resides 24 hours per day, 7 days per week.

+

Employ guards to control to the facility where the system resides 24 hours per day, 7 days per week.

Employing guards at selected physical access points to the facility provides a more rapid response capability for organizations. Guards also provide the opportunity for human surveillance in areas of the facility not covered by video surveillance.

 -

guards are employed to control to the facility where the system resides 24 hours per day, 7 days per week.

+

guards are employed to control to the facility where the system resides 24 hours per day, 7 days per week.

 @@ -41310,26 +39233,24 @@ - -

system components to be protected from unauthorized physical access are defined;

- + +

system components to be protected from unauthorized physical access are defined;

+ - + -

Use lockable physical casings to protect from unauthorized physical access.

+

Use lockable physical casings to protect from unauthorized physical access.

The greatest risk from the use of portable devices—such as smart phones, tablets, and notebook computers—is theft. Organizations can employ lockable, physical casings to reduce or eliminate the risk of equipment theft. Such casings come in a variety of sizes, from units that protect a single notebook computer to full cabinets that can protect multiple servers, computers, and peripherals. Lockable physical casings can be used in conjunction with cable locks or lockdown plates to prevent the theft of the locked casing containing the computer equipment.

 -

lockable physical casings are used to protect from unauthorized access.

+

lockable physical casings are used to protect from unauthorized access.

 @@ -41365,9 +39286,9 @@ - -

anti-tamper technologies to be employed are defined;

- + +

anti-tamper technologies to be employed are defined;

+ @@ -41381,30 +39302,27 @@ - -

hardware components to be protected from physical tampering or alteration are defined;

- + +

hardware components to be protected from physical tampering or alteration are defined;

+ - + -

Employ to physical tampering or alteration of within the system.

+

Employ to physical tampering or alteration of within the system.

Organizations can implement tamper detection and prevention at selected hardware components or implement tamper detection at some components and tamper prevention at other components. Detection and prevention activities can employ many types of anti-tamper technologies, including tamper-detection seals and anti-tamper coatings. Anti-tamper programs help to detect hardware alterations through counterfeiting and other supply chain-related risks.

 -

- are employed to physical tampering or alteration of within the system.

+

are employed to physical tampering or alteration of within the system.

 @@ -41447,9 +39365,7 @@ - +

Limit access using physical barriers.

@@ -41485,31 +39401,27 @@ Access Control Vestibules - + - -

locations within the facility where access control vestibules are to be employed are defined;

- + +

locations within the facility where access control vestibules are to be employed are defined;

+ - + -

Employ access control vestibules at .

+

Employ access control vestibules at .

An access control vestibule is part of a physical access control system that typically provides a space between two sets of interlocking doors. Vestibules are designed to prevent unauthorized individuals from following authorized individuals into facilities with controlled access. This activity, also known as piggybacking or tailgating, results in unauthorized access to the facility. Interlocking door controllers can be used to limit the number of individuals who enter controlled access points and to provide containment areas while authorization for physical access is verified. Interlocking door controllers can be fully automated (i.e., controlling the opening and closing of the doors) or partially automated (i.e., using security guards to control the number of individuals entering the containment area).

 -

access control vestibules are employed at .

+

access control vestibules are employed at .

 @@ -41545,24 +39457,22 @@ - -

system distribution and transmission lines requiring physical access controls are defined;

- + +

system distribution and transmission lines requiring physical access controls are defined;

+ - -

security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;

- + +

security controls to be implemented to control physical access to system distribution and transmission lines within the organizational facility are defined;

+ - + @@ -41574,14 +39484,14 @@ -

Control physical access to within organizational facilities using .

+

Control physical access to within organizational facilities using .

Security controls applied to system distribution and transmission lines prevent accidental damage, disruption, and physical tampering. Such controls may also be necessary to prevent eavesdropping or modification of unencrypted transmissions. Security controls used to control physical access to system distribution and transmission lines include disconnected or locked spare jacks, locked wiring closets, protection of cabling by conduit or cable trays, and wiretapping sensors.

 -

physical access to within organizational facilities is controlled using .

+

physical access to within organizational facilities is controlled using .

 @@ -41619,30 +39529,28 @@ - -

output devices that require physical access control to output are defined;

- + +

output devices that require physical access control to output are defined;

+ - + -

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

+

Control physical access to output from to prevent unauthorized individuals from obtaining the output.

Controlling physical access to output devices includes placing output devices in locked rooms or other secured areas with keypad or card reader access controls and allowing access to authorized individuals only, placing output devices in locations that can be monitored by personnel, installing monitor or screen filters, and using headphones. Examples of output devices include monitors, printers, scanners, audio devices, facsimile machines, and copiers.

 -

physical access to output from is controlled to prevent unauthorized individuals from obtaining the output.

+

physical access to output from is controlled to prevent unauthorized individuals from obtaining the output.

 @@ -41687,9 +39595,7 @@ - +

Link individual identity to receipt of output from output devices.

@@ -41753,30 +39659,24 @@ - -

the frequency at which to review physical access logs is defined;

- + +

the frequency at which to review physical access logs is defined;

+ - + - -

events or potential indication of events requiring physical access logs to be reviewed are defined;

- + +

events or potential indication of events requiring physical access logs to be reviewed are defined;

+ - - + + @@ -41792,7 +39692,7 @@ -

Review physical access logs and upon occurrence of ; and

+

Review physical access logs and upon occurrence of ; and

 @@ -41800,7 +39700,7 @@ -

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

+

Physical access monitoring includes publicly accessible areas within organizational facilities. Examples of physical access monitoring include the employment of guards, video surveillance equipment (i.e., cameras), and sensor devices. Reviewing physical access logs can help identify suspicious activity, anomalous events, or potential threats. The reviews can be supported by audit logging controls, such as AU-2 , if the access logs are part of an automated system. Organizational incident response capabilities include investigations of physical security incidents and responses to the incidents. Incidents include security violations or suspicious physical access activities. Suspicious physical access activities include accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.

 @@ -41812,11 +39712,11 @@ -

physical access logs are reviewed ;

+

physical access logs are reviewed ;

 -

physical access logs are reviewed upon occurrence of ;

+

physical access logs are reviewed upon occurrence of ;

 @@ -41867,12 +39767,8 @@ - - + +

Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.

@@ -41932,39 +39828,35 @@ - -

classes or types of intrusions to be recognized by automated mechanisms are defined;

- + +

classes or types of intrusions to be recognized by automated mechanisms are defined;

+ - -

response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined;

- + +

response actions to be initiated by automated mechanisms when organization-defined classes or types of intrusions are recognized are defined;

+ - -

automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in PE-06(02)_ODP) are defined;

- + +

automated mechanisms used to recognize classes or types of intrusions and initiate response actions (defined in PE-06(02)_ODP) are defined;

+ - - + + -

Recognize and initiate using .

+

Recognize and initiate using .

Response actions can include notifying selected organizational personnel or law enforcement personnel. Automated mechanisms implemented to initiate response actions include system alert notifications, email and text messages, and activating door locking mechanisms. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide integrated threat coverage for the organization.

@@ -41973,13 +39865,11 @@ -

- are recognized;

+

are recognized;

 -

- are initiated using .

+

are initiated using .

 @@ -42021,48 +39911,44 @@ - -

operational areas where video surveillance is to be employed are defined;

- + +

operational areas where video surveillance is to be employed are defined;

+ - -

frequency at which to review video recordings is defined;

- + +

frequency at which to review video recordings is defined;

+ - -

time period for which to retain video recordings is defined;

- + +

time period for which to retain video recordings is defined;

+ - - + + -

Employ video surveillance of ;

+

Employ video surveillance of ;

 -

Review video recordings ; and

+

Review video recordings ; and

 -

Retain video recordings for .

+

Retain video recordings for .

 @@ -42072,15 +39958,15 @@ -

video surveillance of is employed;

+

video surveillance of is employed;

 -

video recordings are reviewed ;

+

video recordings are reviewed ;

 -

video recordings are retained for .

+

video recordings are retained for .

 @@ -42121,34 +40007,28 @@ Monitoring Physical Access to Systems - + - -

physical spaces containing one or more components of the system are defined;

- + +

physical spaces containing one or more components of the system are defined;

+ - - + + -

Monitor physical access to the system in addition to the physical access monitoring of the facility at .

+

Monitor physical access to the system in addition to the physical access monitoring of the facility at .

Monitoring physical access to systems provides additional monitoring for those areas within facilities where there is a concentration of system components, including server rooms, media storage areas, and communications centers. Physical access monitoring can be coordinated with intrusion detection systems and system monitoring capabilities to provide comprehensive and integrated threat coverage for the organization.

 -

physical access to the system is monitored in addition to the physical access monitoring of the facility at .

+

physical access to the system is monitored in addition to the physical access monitoring of the facility at .

 @@ -42201,50 +40081,46 @@ - -

time period for which to maintain visitor access records for the facility where the system resides is defined;

- + +

time period for which to maintain visitor access records for the facility where the system resides is defined;

+ - -

the frequency at which to review visitor access records is defined;

- + +

the frequency at which to review visitor access records is defined;

+ - -

personnel to whom visitor access records anomalies are reported to is/are defined;

- + +

personnel to whom visitor access records anomalies are reported to is/are defined;

+ - - + + -

Maintain visitor access records to the facility where the system resides for ;

+

Maintain visitor access records to the facility where the system resides for ;

 -

Review visitor access records ; and

+

Review visitor access records ; and

 -

Report anomalies in visitor access records to .

+

Report anomalies in visitor access records to .

 @@ -42254,15 +40130,15 @@ -

visitor access records for the facility where the system resides are maintained for ;

+

visitor access records for the facility where the system resides are maintained for ;

 -

visitor access records are reviewed ;

+

visitor access records are reviewed ;

 -

visitor access records anomalies are reported to .

+

visitor access records anomalies are reported to .

 @@ -42299,37 +40175,31 @@ Automated Records Maintenance and Review - - + + - -

automated mechanisms used to maintain visitor access records are defined;

- + +

automated mechanisms used to maintain visitor access records are defined;

+ - -

automated mechanisms used to review visitor access records are defined;

- + +

automated mechanisms used to review visitor access records are defined;

+ - + -

Maintain and review visitor access records using .

+

Maintain and review visitor access records using .

Visitor access records may be stored and maintained in a database management system that is accessible by organizational personnel. Automated access to such records facilitates record reviews on a regular basis to determine if access authorizations are current and still required to support organizational mission and business functions.

@@ -42338,11 +40208,11 @@ -

visitor access records are maintained using ;

+

visitor access records are maintained using ;

 -

visitor access records are reviewed using .

+

visitor access records are reviewed using .

 @@ -42389,28 +40259,26 @@ - -

elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;

- + +

elements identified in the privacy risk assessment to limit personally identifiable information contained in visitor access logs are defined;

+ - + -

Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: .

+

Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: .

Organizations may have requirements that specify the contents of visitor access records. Limiting personally identifiable information in visitor access records when such information is not needed for operational purposes helps reduce the level of privacy risk created by a system.

 -

personally identifiable information contained in visitor access records is limited to identified in the privacy risk assessment.

+

personally identifiable information contained in visitor access records is limited to identified in the privacy risk assessment.

 @@ -42449,9 +40317,7 @@ - +

Protect power equipment and power cabling for the system from damage and destruction.

@@ -42502,26 +40368,24 @@ - -

distance by which redundant power cabling paths are to be physically separated is defined;

- + +

distance by which redundant power cabling paths are to be physically separated is defined;

+ - + -

Employ redundant power cabling paths that are physically separated by .

+

Employ redundant power cabling paths that are physically separated by .

Physically separate and redundant power cables ensure that power continues to flow in the event that one of the cables is cut or otherwise damaged.

 -

redundant power cabling paths that are physically separated by are employed.

+

redundant power cabling paths that are physically separated by are employed.

 @@ -42556,26 +40420,24 @@ - -

the critical system components that require automatic voltage controls are defined;

- + +

the critical system components that require automatic voltage controls are defined;

+ - + -

Employ automatic voltage controls for .

+

Employ automatic voltage controls for .

Automatic voltage controls can monitor and control voltage. Such controls include voltage regulators, voltage conditioners, and voltage stabilizers.

 -

automatic voltage controls for are employed.

+

automatic voltage controls for are employed.

 @@ -42613,36 +40475,32 @@ - -

system or individual system components that require the capability to shut off power in emergency situations is/are defined;

- + +

system or individual system components that require the capability to shut off power in emergency situations is/are defined;

+ - + - -

location of emergency shutoff switches or devices by system or system component is defined;

- + +

location of emergency shutoff switches or devices by system or system component is defined;

+ - + -

Provide the capability of shutting off power to in emergency situations;

+

Provide the capability of shutting off power to in emergency situations;

 -

Place emergency shutoff switches or devices in to facilitate access for authorized personnel; and

+

Place emergency shutoff switches or devices in to facilitate access for authorized personnel; and

 @@ -42656,11 +40514,11 @@ -

the capability to shut off power to in emergency situations is provided;

+

the capability to shut off power to in emergency situations is provided;

 -

emergency shutoff switches or devices are placed in to facilitate access for authorized personnel;

+

emergency shutoff switches or devices are placed in to facilitate access for authorized personnel;

 @@ -42717,21 +40575,19 @@ - + -

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

+

Provide an uninterruptible power supply to facilitate in the event of a primary power source loss.

An uninterruptible power supply (UPS) is an electrical system or mechanism that provides emergency power when there is a failure of the main power source. A UPS is typically used to protect computers, data centers, telecommunication equipment, or other electrical equipment where an unexpected power disruption could cause injuries, fatalities, serious mission or business disruption, or loss of data or information. A UPS differs from an emergency power system or backup generator in that the UPS provides near-instantaneous protection from unanticipated power interruptions from the main power source by providing energy stored in batteries, supercapacitors, or flywheels. The battery duration of a UPS is relatively short but provides sufficient time to start a standby power source, such as a backup generator, or properly shut down the system.

 -

an uninterruptible power supply is provided to facilitate in the event of a primary power source loss.

+

an uninterruptible power supply is provided to facilitate in the event of a primary power source loss.

 @@ -42775,12 +40631,10 @@ - + -

Provide an alternate power supply for the system that is activated and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.

+

Provide an alternate power supply for the system that is activated and that can maintain minimally required operational capability in the event of an extended loss of the primary power source.

Provision of an alternate power supply with minimal operating capability can be satisfied by accessing a secondary commercial power supply or other external power supply.

@@ -42789,7 +40643,7 @@ -

an alternate power supply provided for the system is activated ;

+

an alternate power supply provided for the system is activated ;

 @@ -42847,12 +40701,10 @@ - + -

Provide an alternate power supply for the system that is activated and that is:

+

Provide an alternate power supply for the system that is activated and that is:

Self-contained;

@@ -42863,7 +40715,7 @@ -

Capable of maintaining in the event of an extended loss of the primary power source.

+

Capable of maintaining in the event of an extended loss of the primary power source.

 @@ -42871,7 +40723,7 @@ -

an alternate power supply provided for the system is activated ;

+

an alternate power supply provided for the system is activated ;

the alternate power supply provided for the system is self-contained;

@@ -42882,7 +40734,7 @@ -

the alternate power supply provided for the system is capable of maintaining in the event of an extended loss of the primary power source.

+

the alternate power supply provided for the system is capable of maintaining in the event of an extended loss of the primary power source.

 @@ -42921,9 +40773,7 @@ - + @@ -42984,9 +40834,7 @@ - +

Provide emergency lighting for all areas within the facility supporting essential mission and business functions.

@@ -43034,9 +40882,7 @@ - +

Employ and maintain fire detection and suppression systems that are supported by an independent energy source.

@@ -43105,27 +40951,25 @@ - -

personnel or roles to be notified in the event of a fire is/are defined;

- + +

personnel or roles to be notified in the event of a fire is/are defined;

+ - -

emergency responders to be notified in the event of a fire are defined;

- + +

emergency responders to be notified in the event of a fire are defined;

+ - + -

Employ fire detection systems that activate automatically and notify and in the event of a fire.

+

Employ fire detection systems that activate automatically and notify and in the event of a fire.

Organizations can identify personnel, roles, and emergency responders if individuals on the notification list need to have access authorizations or clearances (e.g., to enter to facilities where access is restricted due to the classification or impact level of information within the facility). Notification mechanisms may require independent energy sources to ensure that the notification capability is not adversely affected by the fire.

@@ -43138,11 +40982,11 @@ -

fire detection systems that notify automatically are employed in the event of a fire;

+

fire detection systems that notify automatically are employed in the event of a fire;

 -

fire detection systems that notify automatically are employed in the event of a fire.

+

fire detection systems that notify automatically are employed in the event of a fire.

 @@ -43185,29 +41029,27 @@ - -

personnel or roles to be notified in the event of a fire is/are defined;

- + +

personnel or roles to be notified in the event of a fire is/are defined;

+ - -

emergency responders to be notified in the event of a fire are defined;

- + +

emergency responders to be notified in the event of a fire are defined;

+ - + -

Employ fire suppression systems that activate automatically and notify and ; and

+

Employ fire suppression systems that activate automatically and notify and ; and

 @@ -43227,11 +41069,11 @@ -

fire suppression systems that notify automatically are employed;

+

fire suppression systems that notify automatically are employed;

 -

fire suppression systems that notify automatically are employed;

+

fire suppression systems that notify automatically are employed;

 @@ -43286,27 +41128,25 @@ - -

the frequency for conducting fire protection inspections on the facility is defined;

- + +

the frequency for conducting fire protection inspections on the facility is defined;

+ - -

a time period for resolving deficiencies identified by fire protection inspections is defined;

- + +

a time period for resolving deficiencies identified by fire protection inspections is defined;

+ - + -

Ensure that the facility undergoes fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within .

+

Ensure that the facility undergoes fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within .

Authorized and qualified personnel within the jurisdiction of the organization include state, county, and city fire inspectors and fire marshals. Organizations provide escorts during inspections in situations where the systems that reside within the facilities contain sensitive information.

@@ -43315,11 +41155,11 @@ -

the facility undergoes fire protection inspections by authorized and qualified inspectors;

+

the facility undergoes fire protection inspections by authorized and qualified inspectors;

 -

the identified deficiencies from fire protection inspections are resolved within .

+

the identified deficiencies from fire protection inspections are resolved within .

 @@ -43357,51 +41197,47 @@ humidity pressure radiation - - - + - -

environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);

- + +

environmental control(s) for which to maintain a specified level in the facility where the system resides are defined (if selected);

+ - -

acceptable levels for environmental controls are defined;

- + +

acceptable levels for environmental controls are defined;

+ - -

frequency at which to monitor environmental control levels is defined;

- + +

frequency at which to monitor environmental control levels is defined;

+ - + -

Maintain levels within the facility where the system resides at ; and

+

Maintain levels within the facility where the system resides at ; and

 -

Monitor environmental control levels .

+

Monitor environmental control levels .

 @@ -43411,12 +41247,11 @@ -

- levels are maintained at within the facility where the system resides;

+

levels are maintained at within the facility where the system resides;

 -

environmental control levels are monitored .

+

environmental control levels are monitored .

 @@ -43454,27 +41289,24 @@ - -

automatic environmental controls to prevent fluctuations that are potentially harmful to the system are defined;

- + +

automatic environmental controls to prevent fluctuations that are potentially harmful to the system are defined;

+ - + -

Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: .

+

Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: .

The implementation of automatic environmental controls provides an immediate response to environmental conditions that can damage, degrade, or destroy organizational systems or systems components.

 -

- are employed in the facility to prevent fluctuations that are potentially harmful to the system.

+

are employed in the facility to prevent fluctuations that are potentially harmful to the system.

 @@ -43512,19 +41344,17 @@ - -

personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined;

- + +

personnel or roles to be notified by environmental control monitoring when environmental changes are potentially harmful to personnel or equipment is/are defined;

+ - + -

Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to .

+

Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to .

The alarm or notification may be an audible alarm or a visual message in real time to personnel or roles defined by the organization. Such alarms and notifications can help minimize harm to individuals and damage to organizational assets by facilitating a timely incident response.

@@ -43537,7 +41367,7 @@ -

the environmental control monitoring capability provides an alarm or notification to when changes are potentially harmful to personnel or equipment.

+

the environmental control monitoring capability provides an alarm or notification to when changes are potentially harmful to personnel or equipment.

 @@ -43575,9 +41405,7 @@ - + @@ -43641,27 +41469,25 @@ - -

personnel or roles to be alerted when the presence of water is detected near the system is/are defined;

- + +

personnel or roles to be alerted when the presence of water is detected near the system is/are defined;

+ - -

automated mechanisms used to detect the presence of water near the system are defined;

- + +

automated mechanisms used to detect the presence of water near the system are defined;

+ - + -

Detect the presence of water near the system and alert using .

+

Detect the presence of water near the system and alert using .

Automated mechanisms include notification systems, water detection sensors, and alarms.

@@ -43674,8 +41500,7 @@ -

- is/are alerted using .

+

is/are alerted using .

 @@ -43712,34 +41537,28 @@ Delivery and Removal - - + + - -

types of system components to be authorized and controlled when entering the facility are defined;

- + +

types of system components to be authorized and controlled when entering the facility are defined;

+ - -

types of system components to be authorized and controlled when exiting the facility are defined;

- + +

types of system components to be authorized and controlled when exiting the facility are defined;

+ - + @@ -43753,7 +41572,7 @@ -

Authorize and control entering and exiting the facility; and

+

Authorize and control entering and exiting the facility; and

 @@ -43769,23 +41588,19 @@ -

- are authorized when entering the facility;

+

are authorized when entering the facility;

 -

- are controlled when entering the facility;

+

are controlled when entering the facility;

 -

- are authorized when exiting the facility;

+

are authorized when exiting the facility;

 -

- are controlled when exiting the facility;

+

are controlled when exiting the facility;

 @@ -43828,24 +41643,22 @@ - -

alternate work sites allowed for use by employees are defined;

- + +

alternate work sites allowed for use by employees are defined;

+ - -

controls to be employed at alternate work sites are defined;

- + +

controls to be employed at alternate work sites are defined;

+ - + @@ -43853,11 +41666,11 @@ -

Determine and document the allowed for use by employees;

+

Determine and document the allowed for use by employees;

 -

Employ the following controls at alternate work sites: ;

+

Employ the following controls at alternate work sites: ;

 @@ -43875,13 +41688,11 @@ -

- are determined and documented;

+

are determined and documented;

 -

- are employed at alternate work sites;

+

are employed at alternate work sites;

 @@ -43932,30 +41743,28 @@ - -

physical and environmental hazards that could result in potential damage to system components within the facility are defined;

- + +

physical and environmental hazards that could result in potential damage to system components within the facility are defined;

+ - + -

Position system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

+

Position system components within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. Organizations consider the location of entry points where unauthorized individuals, while not being granted access, might nonetheless be near systems. Such proximity can increase the risk of unauthorized access to organizational communications using wireless packet sniffers or microphones, or unauthorized disclosure of information.

 -

system components are positioned within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

+

system components are positioned within the facility to minimize potential damage from and to minimize the opportunity for unauthorized access.

 @@ -43999,9 +41808,7 @@ - + @@ -44049,9 +41856,7 @@ - +

Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the information.

@@ -44108,45 +41913,42 @@ - -

asset location technologies to be employed to track and monitor the location and movement of assets is defined;

- + +

asset location technologies to be employed to track and monitor the location and movement of assets is defined;

+ - -

assets whose location and movement are to be tracked and monitored are defined;

- + +

assets whose location and movement are to be tracked and monitored are defined;

+ - -

controlled areas within which asset location and movement are to be tracked and monitored are defined;

- + +

controlled areas within which asset location and movement are to be tracked and monitored are defined;

+ - + -

Employ to track and monitor the location and movement of within .

+

Employ to track and monitor the location and movement of within .

Asset location technologies can help ensure that critical assets—including vehicles, equipment, and system components—remain in authorized locations. Organizations consult with the Office of the General Counsel and senior agency official for privacy regarding the deployment and use of asset location technologies to address potential privacy concerns.

 -

- are employed to track and monitor the location and movement of within .

+

are employed to track and monitor the location and movement of within .

 @@ -44187,39 +41989,34 @@ - -

protective measures to be employed against electromagnetic pulse damage are defined;

- + +

protective measures to be employed against electromagnetic pulse damage are defined;

+ - + - -

system and system components requiring protection against electromagnetic pulse damage are defined;

- + +

system and system components requiring protection against electromagnetic pulse damage are defined;

+ - + -

Employ against electromagnetic pulse damage for .

+

Employ against electromagnetic pulse damage for .

An electromagnetic pulse (EMP) is a short burst of electromagnetic energy that is spread over a range of frequencies. Such energy bursts may be natural or man-made. EMP interference may be disruptive or damaging to electronic equipment. Protective measures used to mitigate EMP risk include shielding, surge suppressors, ferro-resonant transformers, and earth grounding. EMP protection may be especially significant for systems and applications that are part of the U.S. critical infrastructure.

 -

- are employed against electromagnetic pulse damage for .

+

are employed against electromagnetic pulse damage for .

 @@ -44256,31 +42053,28 @@ - -

system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined;

- + +

system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined;

+ - + -

Mark indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

+

Mark indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

 -

Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or AC-4 . Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.

+

Hardware components that may require marking include input and output devices. Input devices include desktop and notebook computers, keyboards, tablets, and smart phones. Output devices include printers, monitors/video displays, facsimile machines, scanners, copiers, and audio devices. Permissions controlling output to the output devices are addressed in AC-3 or AC-4 . Components are marked to indicate the impact level or classification level of the system to which the devices are connected, or the impact level or classification level of the information permitted to be output. Security marking refers to the use of human-readable security attributes. Security labeling refers to the use of security attributes for internal system data structures. Security marking is generally not required for hardware components that process, store, or transmit information determined by organizations to be in the public domain or to be publicly releasable. However, organizations may require markings for hardware components that process, store, or transmit public information in order to indicate that such information is publicly releasable. Marking of system hardware components reflects applicable laws, executive orders, directives, policies, regulations, and standards.

 -

- are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

+

are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

 @@ -44319,9 +42113,7 @@ - + @@ -44339,7 +42131,7 @@ -

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in PE-18.

+

Physical and environmental hazards include floods, fires, tornadoes, earthquakes, hurricanes, terrorism, vandalism, an electromagnetic pulse, electrical interference, and other forms of incoming electromagnetic radiation. The location of system components within the facility is addressed in PE-18.

 @@ -44388,27 +42180,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the planning policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the planning policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the planning procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the planning procedures are to be disseminated is/are defined;

+ @@ -44423,51 +42211,47 @@ - -

an official to manage the planning policy and procedures is defined;

- + +

an official to manage the planning policy and procedures is defined;

+ - -

the frequency with which the current planning policy is reviewed and updated is defined;

- + +

the frequency with which the current planning policy is reviewed and updated is defined;

+ - -

events that would require the current planning policy to be reviewed and updated are defined;

- + +

events that would require the current planning policy to be reviewed and updated are defined;

+ - -

the frequency with which the current planning procedures are reviewed and updated is defined;

- + +

the frequency with which the current planning procedures are reviewed and updated is defined;

+ - -

events that would require procedures to be reviewed and updated are defined;

- + +

events that would require procedures to be reviewed and updated are defined;

+ - - + + @@ -44480,11 +42264,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- planning policy that:

+

planning policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -44501,18 +42284,18 @@ -

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the planning policy and procedures; and

Review and update the current planning:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -44529,7 +42312,7 @@ -

the planning policy is disseminated to ;

+

the planning policy is disseminated to ;

 @@ -44537,7 +42320,7 @@ -

the planning procedures are disseminated to ;

+

the planning procedures are disseminated to ;

 @@ -44545,42 +42328,42 @@ -

the planning policy addresses purpose;

+

the planning policy addresses purpose;

 -

the planning policy addresses scope;

+

the planning policy addresses scope;

 -

the planning policy addresses roles;

+

the planning policy addresses roles;

 -

the planning policy addresses responsibilities;

+

the planning policy addresses responsibilities;

 -

the planning policy addresses management commitment;

+

the planning policy addresses management commitment;

 -

the planning policy addresses coordination among organizational entities;

+

the planning policy addresses coordination among organizational entities;

 -

the planning policy addresses compliance;

+

the planning policy addresses compliance;

 -

the planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the planning policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the planning policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the planning policy and procedures;

 @@ -44588,22 +42371,22 @@ -

the current planning policy is reviewed and updated ;

+

the current planning policy is reviewed and updated ;

 -

the current planning policy is reviewed and updated following ;

+

the current planning policy is reviewed and updated following ;

 -

the current planning procedures are reviewed and updated ;

+

the current planning procedures are reviewed and updated ;

 -

the current planning procedures are reviewed and updated following .

+

the current planning procedures are reviewed and updated following .

 @@ -44633,35 +42416,31 @@ - -

individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;

- + +

individuals or groups with whom security and privacy-related activities affecting the system that require planning and coordination is/are assigned;

+ - -

personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;

- + +

personnel or roles to receive distributed copies of the system security and privacy plans is/are assigned;

+ - -

frequency to review system security and privacy plans is defined;

- + +

frequency to review system security and privacy plans is defined;

+ - - + + @@ -44762,7 +42541,7 @@ -

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

+

Include security- and privacy-related activities affecting the system that require planning and coordination with ; and

 @@ -44771,11 +42550,11 @@ -

Distribute copies of the plans and communicate subsequent changes to the plans to ;

+

Distribute copies of the plans and communicate subsequent changes to the plans to ;

 -

Review the plans ;

+

Review the plans ;

 @@ -44787,7 +42566,7 @@ -

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

+

System security and privacy plans are scoped to the system and system components within the defined authorization boundary and contain an overview of the security and privacy requirements for the system and the controls selected to satisfy the requirements. The plans describe the intended application of each selected control in the context of the system with a sufficient level of detail to correctly implement the control and to subsequently assess the effectiveness of the control. The control documentation describes how system-specific and hybrid controls are implemented and the plans and expectations regarding the functionality of the system. System security and privacy plans can also be used in the design and development of systems in support of life cycle-based security and privacy engineering processes. System security and privacy plans are living documents that are updated and adapted throughout the system development life cycle (e.g., during capability determination, analysis of alternatives, requests for proposal, and design reviews). Section 2.1 describes the different types of requirements that are relevant to organizations during the system development life cycle and the relationship between requirements and controls.

Organizations may develop a single, integrated security and privacy plan or maintain separate plans. Security and privacy plans relate security and privacy requirements to a set of controls and control enhancements. The plans describe how the controls and control enhancements meet the security and privacy requirements but do not provide detailed, technical descriptions of the design or implementation of the controls and control enhancements. Security and privacy plans contain sufficient information (including specifications of control parameter values for selection and assignment operations explicitly or by reference) to enable a design and implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets, individuals, other organizations, and the Nation if the plan is implemented.

Security and privacy plans need not be single documents. The plans can be a collection of various documents, including documents that already exist. Effective security and privacy plans make extensive use of references to policies, procedures, and additional documents, including design and implementation specifications where more detailed information can be obtained. The use of references helps reduce the documentation associated with security and privacy programs and maintains the security- and privacy-related information in other established management and operational areas, including enterprise architecture, system development life cycle, systems engineering, and acquisition. Security and privacy plans need not contain detailed contingency plan or incident response plan information but can instead provide—explicitly or by reference—sufficient information to define what needs to be accomplished by those plans.

Security- and privacy-related activities that may require coordination and planning with other individuals or groups within the organization include assessments, audits, inspections, hardware and software maintenance, acquisition and supply chain risk management, patch management, and contingency plan testing. Planning and coordination include emergency and nonemergency (i.e., planned or non-urgent unplanned) situations. The process defined by organizations to plan and coordinate security- and privacy-related activities can also be included in other documents, as appropriate.

@@ -44943,11 +42722,11 @@ -

a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ;

+

a security plan for the system is developed that includes security-related activities affecting the system that require planning and coordination with ;

 -

a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ;

+

a privacy plan for the system is developed that includes privacy-related activities affecting the system that require planning and coordination with ;

 @@ -44966,16 +42745,16 @@ -

copies of the plans are distributed to ;

+

copies of the plans are distributed to ;

 -

subsequent changes to the plans are communicated to ;

+

subsequent changes to the plans are communicated to ;

 -

plans are reviewed ;

+

plans are reviewed ;

 @@ -45078,17 +42857,15 @@ - -

frequency for reviewing and updating the rules of behavior is defined;

- + +

frequency for reviewing and updating the rules of behavior is defined;

+ @@ -45096,19 +42873,15 @@ - -

frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

- + +

frequency for individuals to read and re-acknowledge the rules of behavior is defined (if selected);

+ - - + + @@ -45141,15 +42914,15 @@ -

Review and update the rules of behavior ; and

+

Review and update the rules of behavior ; and

 -

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

+

Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge .

 -

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

+

Rules of behavior represent a type of access agreement for organizational users. Other types of access agreements include nondisclosure agreements, conflict-of-interest agreements, and acceptable use agreements (see PS-6 ). Organizations consider rules of behavior based on individual user roles and responsibilities and differentiate between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users, including individuals who receive information from federal systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for organizational and non-organizational users can also be established in AC-8 . The related controls section provides a list of controls that are relevant to organizational rules of behavior. PL-4b , the documented acknowledgment portion of the control, may be satisfied by the literacy training and awareness and role-based training programs conducted by organizations if such training includes rules of behavior. Documented acknowledgements for rules of behavior include electronic or physical signatures and electronic agreement check boxes or radio buttons.

 @@ -45170,11 +42943,11 @@ -

rules of behavior are reviewed and updated ;

+

rules of behavior are reviewed and updated ;

 -

individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge .

+

individuals who have acknowledged a previous version of the rules of behavior are required to read and reacknowledge .

 @@ -45212,12 +42985,8 @@ - - + + @@ -45307,16 +43076,14 @@ - -

frequency for review and update of the Concept of Operations (CONOPS) is defined;

- + +

frequency for review and update of the Concept of Operations (CONOPS) is defined;

+ - + @@ -45328,7 +43095,7 @@ -

Review and update the CONOPS .

+

Review and update the CONOPS .

 @@ -45342,7 +43109,7 @@ -

the CONOPS is reviewed and updated .

+

the CONOPS is reviewed and updated .

 @@ -45382,19 +43149,15 @@ - -

frequency for review and update to reflect changes in the enterprise architecture;

- + +

frequency for review and update to reflect changes in the enterprise architecture;

+ - - + + @@ -45434,7 +43197,7 @@ -

Review and update the architectures to reflect changes in the enterprise architecture; and

+

Review and update the architectures to reflect changes in the enterprise architecture; and

 @@ -45442,12 +43205,10 @@ -

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7 , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

-

- SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

+

The security and privacy architectures at the system level are consistent with the organization-wide security and privacy architectures described in PM-7 , which are integral to and developed as part of the enterprise architecture. The architectures include an architectural description, the allocation of security and privacy functionality (including controls), security- and privacy-related information for external interfaces, information being exchanged across the interfaces, and the protection mechanisms associated with each interface. The architectures can also include other information, such as user roles and the access privileges assigned to each role; security and privacy requirements; types of information processed, stored, and transmitted by the system; supply chain risk management requirements; restoration priorities of information and system services; and other protection needs.

+

SP 800-160-1 provides guidance on the use of security architectures as part of the system development life cycle process. OMB M-19-03 requires the use of the systems security engineering concepts described in SP 800-160-1 for high value assets. Security and privacy architectures are reviewed and updated throughout the system development life cycle, from analysis of alternatives through review of the proposed architecture in the RFP responses to the design reviews before and during implementation (e.g., during preliminary design reviews and critical design reviews).

In today’s modern computing architectures, it is becoming less common for organizations to control all information resources. There may be key dependencies on external information services and service providers. Describing such dependencies in the security and privacy architectures is necessary for developing a comprehensive mission and business protection strategy. Establishing, developing, documenting, and maintaining under configuration control a baseline configuration for organizational systems is critical to implementing and maintaining effective architectures. The development of the architectures is coordinated with the senior agency information security officer and the senior agency official for privacy to ensure that the controls needed to support security and privacy requirements are identified and effectively implemented. In many circumstances, there may be no distinction between the security and privacy architecture for a system. In other circumstances, security objectives may be adequately satisfied, but privacy objectives may only be partially satisfied by the security requirements. In these cases, consideration of the privacy requirements needed to achieve satisfaction will result in a distinct privacy architecture. The documentation, however, may simply reflect the combined architectures.

-

- PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17 , which is complementary to PL-8 , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

+

PL-8 is primarily directed at organizations to ensure that architectures are developed for the system and, moreover, that the architectures are integrated with or tightly coupled to the enterprise architecture. In contrast, SA-17 is primarily directed at the external information technology product and system developers and integrators. SA-17 , which is complementary to PL-8 , is selected when organizations outsource the development of systems or components to external entities and when there is a need to demonstrate consistency with the organization’s enterprise architecture and security and privacy architectures.

 @@ -45486,7 +43247,7 @@ -

changes in the enterprise architecture are reviewed and updated to reflect changes in the enterprise architecture;

+

changes in the enterprise architecture are reviewed and updated to reflect changes in the enterprise architecture;

 @@ -45555,27 +43316,23 @@ - -

controls to be allocated are defined;

- + +

controls to be allocated are defined;

+ - -

locations and architectural layers are defined;

- + +

locations and architectural layers are defined;

+ - - + + @@ -45585,7 +43342,7 @@

Design the security and privacy architectures for the system using a defense-in-depth approach that:

-

Allocates to ; and

+

Allocates to ; and

 @@ -45593,7 +43350,7 @@ -

Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see SA-8(3) ), separation of system and user functionality (see SC-2 ), and security function isolation (see SC-3).

+

Organizations strategically allocate security and privacy controls in the security and privacy architectures so that adversaries must overcome multiple controls to achieve their objective. Requiring adversaries to defeat multiple controls makes it more difficult to attack information resources by increasing the work factor of the adversary; it also increases the likelihood of detection. The coordination of allocated controls is essential to ensure that an attack that involves one control does not create adverse, unintended consequences by interfering with other controls. Unintended consequences can include system lockout and cascading alarms. The placement of controls in systems and organizations is an important activity that requires thoughtful analysis. The value of organizational assets is an important consideration in providing additional layering. Defense-in-depth architectural approaches include modularity and layering (see SA-8(3) ), separation of system and user functionality (see SC-2 ), and security function isolation (see SC-3).

 @@ -45601,11 +43358,11 @@ -

the security architecture for the system is designed using a defense-in-depth approach that allocates to ;

+

the security architecture for the system is designed using a defense-in-depth approach that allocates to ;

 -

the privacy architecture for the system is designed using a defense-in-depth approach that allocates to ;

+

the privacy architecture for the system is designed using a defense-in-depth approach that allocates to ;

 @@ -45658,40 +43415,35 @@ - -

controls to be allocated are defined;

- + +

controls to be allocated are defined;

+ - -

locations and architectural layers are defined;

- + +

locations and architectural layers are defined;

+ - - + + -

Require that allocated to are obtained from different suppliers.

+

Require that allocated to are obtained from different suppliers.

Information technology products have different strengths and weaknesses. Providing a broad spectrum of products complements the individual offerings. For example, vendors offering malicious code protection typically update their products at different times, often developing solutions for known viruses, Trojans, or worms based on their priorities and development schedules. By deploying different products at different locations, there is an increased likelihood that at least one of the products will detect the malicious code. With respect to privacy, vendors may offer products that track personally identifiable information in systems. Products may use different tracking methods. Using multiple products may result in more assurance that personally identifiable information is inventoried.

 -

- that are allocated to are required to be obtained from different suppliers.

+

that are allocated to are required to be obtained from different suppliers.

 @@ -45733,35 +43485,30 @@ - -

security and privacy controls and related processes to be centrally managed are defined;

- + +

security and privacy controls and related processes to be centrally managed are defined;

+ - - + + -

Centrally manage .

+

Centrally manage .

Central management refers to organization-wide management and implementation of selected controls and processes. This includes planning, implementing, assessing, authorizing, and monitoring the organization-defined, centrally managed controls and processes. As the central management of controls is generally associated with the concept of common (inherited) controls, such management promotes and facilitates standardization of control implementations and management and the judicious use of organizational resources. Centrally managed controls and processes may also meet independence requirements for assessments in support of initial and ongoing authorizations to operate and as part of organizational continuous monitoring.

Automated tools (e.g., security information and event management tools or enterprise security monitoring and management tools) can improve the accuracy, consistency, and availability of information associated with centrally managed controls and processes. Automation can also provide data aggregation and data correlation capabilities; alerting mechanisms; and dashboards to support risk-based decision-making within the organization.

-

As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-4(all), SI-7, SI-8.

+

As part of the control selection processes, organizations determine the controls that may be suitable for central management based on resources and capabilities. It is not always possible to centrally manage every aspect of a control. In such cases, the control can be treated as a hybrid control with the control managed and implemented centrally or at the system level. The controls and control enhancements that are candidates for full or partial central management include but are not limited to: AC-2(1), AC-2(2), AC-2(3), AC-2(4), AC-4(all), AC-17(1), AC-17(2), AC-17(3), AC-17(9), AC-18(1), AC-18(3), AC-18(4), AC-18(5), AC-19(4), AC-22, AC-23, AT-2(1), AT-2(2), AT-3(1), AT-3(2), AT-3(3), AT-4, AU-3, AU-6(1), AU-6(3), AU-6(5), AU-6(6), AU-6(9), AU-7(1), AU-7(2), AU-11, AU-13, AU-16, CA-2(1), CA-2(2), CA-2(3), CA-3(1), CA-3(2), CA-3(3), CA-7(1), CA-9, CM-2(2), CM-3(1), CM-3(4), CM-4, CM-6, CM-6(1), CM-7(2), CM-7(4), CM-7(5), CM-8(all), CM-9(1), CM-10, CM-11, CP-7(all), CP-8(all), SC-43, SI-2, SI-3, SI-4(all), SI-7, SI-8.

 -

- are centrally managed.

+

are centrally managed.

 @@ -45797,9 +43544,7 @@ - + @@ -45819,7 +43564,7 @@

Select a control baseline for the system.

 -

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

+

Control baselines are predefined sets of controls specifically assembled to address the protection needs of a group, organization, or community of interest. Controls are chosen for baselines to either satisfy mandates imposed by laws, executive orders, directives, regulations, policies, standards, and guidelines or address threats common to all users of the baseline under the assumptions specific to the baseline. Baselines represent a starting point for the protection of individuals’ privacy, information, and information systems with subsequent tailoring actions to manage risk in accordance with mission, business, or other constraints (see PL-11 ). Federal control baselines are provided in SP 800-53B . The selection of a control baseline is determined by the needs of stakeholders. Stakeholder needs consider mission and business requirements as well as mandates imposed by applicable laws, executive orders, directives, policies, regulations, standards, and guidelines. For example, the control baselines in SP 800-53B are based on the requirements from FISMA and PRIVACT . The requirements, along with the NIST standards and guidelines implementing the legislation, direct organizations to select one of the control baselines after the reviewing the information types and the information that is processed, stored, and transmitted on the system; analyzing the potential adverse impact of the loss or compromise of the information or system on the organization’s operations and assets, individuals, other organizations, or the Nation; and considering the results from system and organizational risk assessments. CNSSI 1253 provides guidance on control baselines for national security systems.

 @@ -45865,9 +43610,7 @@ - + @@ -45887,7 +43630,7 @@

Tailor the selected control baseline by applying specified tailoring actions.

 -

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

+

The concept of tailoring allows organizations to specialize or customize a set of baseline controls by applying a defined set of tailoring actions. Tailoring actions facilitate such specialization and customization by allowing organizations to develop security and privacy plans that reflect their specific mission and business functions, the environments where their systems operate, the threats and vulnerabilities that can affect their systems, and any other conditions or situations that can impact their mission or business success. Tailoring guidance is provided in SP 800-53B . Tailoring a control baseline is accomplished by identifying and designating common controls, applying scoping considerations, selecting compensating controls, assigning values to control parameters, supplementing the control baseline with additional controls as needed, and providing information for control implementation. The general tailoring actions in SP 800-53B can be supplemented with additional actions based on the needs of organizations. Tailoring actions can be applied to the baselines in SP 800-53B in accordance with the security and privacy requirements from FISMA, PRIVACT , and OMB A-130 . Alternatively, other communities of interest adopting different control baselines can apply the tailoring actions in SP 800-53B to specialize or customize the controls that represent the specific needs and concerns of those entities.

 @@ -45932,9 +43675,8 @@ Program Management Program Management Controls -

- FISMA, PRIVACT , and OMB A-130 require federal agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and to protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at individual information systems. The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. The controls are independent of FIPS 200 impact levels and, therefore, are not associated with the control baselines described in SP 800-53B.

-

Organizations document program management controls in the information security and privacy program plans. The organization-wide information security program plan (see PM-1 ) and privacy program plan (see PM-18 ) supplement system security and privacy plans (see PL-2 ) developed for organizational information systems. Together, the system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization.

+

FISMA, PRIVACT , and OMB A-130 require federal agencies to develop, implement, and provide oversight for organization-wide information security and privacy programs to help ensure the confidentiality, integrity, and availability of federal information processed, stored, and transmitted by federal information systems and to protect individual privacy. The program management (PM) controls described in this section are implemented at the organization level and not directed at individual information systems. The PM controls have been designed to facilitate organizational compliance with applicable federal laws, executive orders, directives, policies, regulations, and standards. The controls are independent of FIPS 200 impact levels and, therefore, are not associated with the control baselines described in SP 800-53B.

+

Organizations document program management controls in the information security and privacy program plans. The organization-wide information security program plan (see PM-1 ) and privacy program plan (see PM-18 ) supplement system security and privacy plans (see PL-2 ) developed for organizational information systems. Together, the system security and privacy plans for the individual information systems and the information security and privacy program plans cover the totality of security and privacy controls employed by the organization.

 Information Security Program Plan @@ -45942,24 +43684,22 @@ - -

the frequency at which to review and update the organization-wide information security program plan is defined;

- + +

the frequency at which to review and update the organization-wide information security program plan is defined;

+ - -

events that trigger the review and update of the organization-wide information security program plan are defined;

- + +

events that trigger the review and update of the organization-wide information security program plan are defined;

+ - + @@ -45993,7 +43733,7 @@ -

Review and update the organization-wide information security program plan and following ; and

+

Review and update the organization-wide information security program plan and following ; and

 @@ -46001,7 +43741,7 @@ -

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in PM-18 and SR-2 , respectively.

+

An information security program plan is a formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. An information security program plan can be represented in a single document or compilations of documents. Privacy program plans and supply chain risk management plans are addressed separately in PM-18 and SR-2 , respectively.

An information security program plan documents implementation details about program management and common controls. The plan provides sufficient information about the controls (including specification of parameters for assignment and selection operations, explicitly or by reference) to enable implementations that are unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended. Updates to information security program plans include organizational changes and problems identified during plan implementation or control assessments.

Program management controls may be implemented at the organization level or the mission or business process level, and are essential for managing the organization’s information security program. Program management controls are distinct from common, system-specific, and hybrid controls because program management controls are independent of any particular system. Together, the individual system security plans and the organization-wide information security program plan provide complete coverage for the security controls employed within the organization.

Common controls available for inheritance by organizational systems are documented in an appendix to the organization’s information security program plan unless the controls are included in a separate security plan for a system. The organization-wide information security program plan indicates which separate security plans contain descriptions of common controls.

@@ -46070,11 +43810,11 @@ -

the information security program plan is reviewed and updated ;

+

the information security program plan is reviewed and updated ;

 -

the information security program plan is reviewed and updated following ;

+

the information security program plan is reviewed and updated following ;

 @@ -46124,9 +43864,7 @@ - + @@ -46186,9 +43924,7 @@ - + @@ -46284,9 +44020,7 @@ - + @@ -46318,7 +44052,7 @@ -

The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5.

+

The plan of action and milestones is a key organizational document and is subject to reporting requirements established by the Office of Management and Budget. Organizations develop plans of action and milestones with an organization-wide perspective, prioritizing risk response actions and ensuring consistency with the goals and objectives of the organization. Plan of action and milestones updates are based on findings from control assessments and continuous monitoring activities. There can be multiple plans of action and milestones corresponding to the information system level, mission/business process level, and organizational/governance level. While plans of action and milestones are required for federal organizations, other types of organizations can help reduce risk by documenting and tracking planned remediations. Specific guidance on plans of action and milestones at the system level is provided in CA-5.

 @@ -46431,24 +44165,21 @@ - -

the frequency at which to update the inventory of organizational systems is defined;

- + +

the frequency at which to update the inventory of organizational systems is defined;

+ - + -

Develop and update an inventory of organizational systems.

+

Develop and update an inventory of organizational systems.

 -

- OMB A-130 provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.

+

OMB A-130 provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.

 @@ -46458,7 +44189,7 @@ -

the inventory of organizational systems is updated .

+

the inventory of organizational systems is updated .

 @@ -46495,16 +44226,14 @@ - -

the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined;

- + +

the frequency at which to update the inventory of systems, applications, and projects that process personally identifiable information is defined;

+ - + @@ -46517,7 +44246,7 @@ -

Establish, maintain, and update an inventory of all systems, applications, and projects that process personally identifiable information.

+

Establish, maintain, and update an inventory of all systems, applications, and projects that process personally identifiable information.

An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.

@@ -46534,7 +44263,7 @@ -

an inventory of all systems, applications, and projects that process personally identifiable information is updated .

+

an inventory of all systems, applications, and projects that process personally identifiable information is updated .

 @@ -46576,12 +44305,8 @@ - - + + @@ -46658,9 +44383,7 @@ - + @@ -46678,7 +44401,7 @@

Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.

 -

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8 , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework SP 800-37 and supporting security standards and guidelines.

+

The integration of security and privacy requirements and controls into the enterprise architecture helps to ensure that security and privacy considerations are addressed throughout the system development life cycle and are explicitly related to the organization’s mission and business processes. The process of security and privacy requirements integration also embeds into the enterprise architecture and the organization’s security and privacy architectures consistent with the organizational risk management strategy. For PM-7, security and privacy architectures are developed at a system-of-systems level, representing all organizational systems. For PL-8 , the security and privacy architectures are developed at a level that represents an individual system. The system-level architectures are consistent with the security and privacy architectures defined for the organization. Security and privacy requirements and control integration are most effectively accomplished through the rigorous application of the Risk Management Framework SP 800-37 and supporting security standards and guidelines.

 @@ -46743,28 +44466,25 @@ - -

non-essential functions or services to be offloaded are defined;

- + +

non-essential functions or services to be offloaded are defined;

+ - + -

Offload to other systems, system components, or an external provider.

+

Offload to other systems, system components, or an external provider.

Not every function or service that a system provides is essential to organizational mission or business functions. Printing or copying is an example of a non-essential but supporting service for an organization. Whenever feasible, such supportive but non-essential functions or services are not co-located with the functions or services that support essential mission or business functions. Maintaining such functions on the same system or system component increases the attack surface of the organization’s mission-essential functions or services. Moving supportive but non-essential functions to a non-critical system, system component, or external provider can also increase efficiency by putting those functions or services under the control of individuals or providers who are subject matter experts in the functions or services.

 -

- are offloaded to other systems, system components, or an external provider.

+

are offloaded to other systems, system components, or an external provider.

 @@ -46805,9 +44525,7 @@ - + @@ -46891,19 +44609,15 @@ - -

the frequency at which to review and update the risk management strategy is defined;

- + +

the frequency at which to review and update the risk management strategy is defined;

+ - - + + @@ -46966,11 +44680,11 @@ -

Review and update the risk management strategy or as required, to address organizational changes.

+

Review and update the risk management strategy or as required, to address organizational changes.

 -

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.

+

An organization-wide risk management strategy includes an expression of the security and privacy risk tolerance for the organization, security and privacy risk mitigation strategies, acceptable risk assessment methodologies, a process for evaluating security and privacy risk across the organization with respect to the organization’s risk tolerance, and approaches for monitoring risk over time. The senior accountable official for risk management (agency head or designated official) aligns information security management processes with strategic, operational, and budgetary planning processes. The risk executive function, led by the senior accountable official for risk management, can facilitate consistent application of the risk management strategy organization-wide. The risk management strategy can be informed by security and privacy risk-related inputs from other sources, both internal and external to the organization, to ensure that the strategy is broad-based and comprehensive. The supply chain risk management strategy described in PM-30 can also provide useful inputs to the organization-wide risk management strategy.

 @@ -46991,7 +44705,7 @@ -

the risk management strategy is reviewed and updated or as required to address organizational changes.

+

the risk management strategy is reviewed and updated or as required to address organizational changes.

 @@ -47030,12 +44744,8 @@ - - + + @@ -47121,16 +44831,14 @@ - -

the frequency at which to review and revise the mission and business processes is defined;

- + +

the frequency at which to review and revise the mission and business processes is defined;

+ - + @@ -47156,7 +44864,7 @@ -

Review and revise the mission and business processes .

+

Review and revise the mission and business processes .

 @@ -47192,7 +44900,7 @@ -

the mission and business processes are reviewed and revised .

+

the mission and business processes are reviewed and revised .

 @@ -47232,12 +44940,8 @@ - - + + @@ -47267,7 +44971,7 @@

Implement an insider threat program that includes a cross-discipline insider threat incident handling team.

 -

Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP , to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.

+

Organizations that handle classified information are required, under Executive Order 13587 EO 13587 and the National Insider Threat Policy ODNI NITP , to establish insider threat programs. The same standards and guidelines that apply to insider threat programs in classified environments can also be employed effectively to improve the security of controlled unclassified and other information in non-national security systems. Insider threat programs include controls to detect and prevent malicious insider activity through the centralized integration and analysis of both technical and nontechnical information to identify potential insider threat concerns. A senior official is designated by the department or agency head as the responsible individual to implement and provide oversight for the program. In addition to the centralized integration and analysis capability, insider threat programs require organizations to prepare department or agency insider threat policies and implementation plans, conduct host-based user monitoring of individual employee activities on government-owned classified computers, provide insider threat awareness training to employees, receive access to information from offices in the department or agency for insider threat analysis, and conduct self-assessments of department or agency insider threat posture.

Insider threat programs can leverage the existence of incident handling teams that organizations may already have in place, such as computer security incident response teams. Human resources records are especially important in this effort, as there is compelling evidence to show that some types of insider crimes are often preceded by nontechnical behaviors in the workplace, including ongoing patterns of disgruntled behavior and conflicts with coworkers and other colleagues. These precursors can guide organizational officials in more focused, targeted monitoring efforts. However, the use of human resource records could raise significant concerns for privacy. The participation of a legal team, including consultation with the senior agency official for privacy, ensures that monitoring activities are performed in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

 @@ -47299,9 +45003,7 @@ - + @@ -47358,12 +45060,8 @@ - - + + @@ -47498,9 +45196,7 @@ - + @@ -47594,12 +45290,8 @@ - - + + @@ -47651,12 +45343,8 @@ - - + +

Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.

@@ -47707,37 +45395,29 @@ Protecting Controlled Unclassified Information on External Systems - - + + - -

the frequency at which to review and update the policy is defined;

- + +

the frequency at which to review and update the policy is defined;

+ - -

the frequency at which to review and update the procedures is defined;

- + +

the frequency at which to review and update the procedures is defined;

+ - - + + @@ -47751,11 +45431,11 @@ -

Review and update the policy and procedures .

+

Review and update the policy and procedures .

 -

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 and, specifically for systems external to the federal organization, 32 CFR 2002.14h . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

+

Controlled unclassified information is defined by the National Archives and Records Administration along with the safeguarding and dissemination requirements for such information and is codified in 32 CFR 2002 and, specifically for systems external to the federal organization, 32 CFR 2002.14h . The policy prescribes the specific use and conditions to be implemented in accordance with organizational procedures, including via its contracting processes.

 @@ -47774,12 +45454,11 @@ -

policy is reviewed and updated ;

+

policy is reviewed and updated ;

 -

procedures are reviewed and updated -

+

procedures are reviewed and updated

@@ -47807,16 +45486,14 @@ - -

the frequency of updates to the privacy program plan is defined;

- + +

the frequency of updates to the privacy program plan is defined;

+ - + @@ -47853,7 +45530,7 @@ -

Update the plan and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

+

Update the plan and to address changes in federal privacy laws and policy and organizational changes and problems identified during plan implementation or privacy control assessments.

 @@ -47939,7 +45616,7 @@ -

the privacy program plan is updated ;

+

the privacy program plan is updated ;

 @@ -47981,9 +45658,7 @@ - + @@ -47994,7 +45669,7 @@

Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.

 -

The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see PM-23 ) and the data integrity board (see PM-24).

+

The privacy officer is an organizational official. For federal agencies—as defined by applicable laws, executive orders, directives, regulations, policies, standards, and guidelines—this official is designated as the senior agency official for privacy. Organizations may also refer to this official as the chief privacy officer. The senior agency official for privacy also has roles on the data management board (see PM-23 ) and the data integrity board (see PM-24).

 @@ -48051,9 +45726,7 @@ - + @@ -48079,7 +45752,7 @@ -

For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, PRIVACT exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.

+

For federal agencies, the webpage is located at www.[agency].gov/privacy. Federal agencies include public privacy impact assessments, system of records notices, computer matching notices and agreements, PRIVACT exemption and implementation rules, privacy reports, privacy policies, instructions for individuals making an access or amendment request, email addresses for questions/complaints, blogs, and periodic publications.

 @@ -48153,12 +45826,8 @@ - - + +

Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that:

@@ -48258,9 +45927,7 @@ - + @@ -48289,7 +45956,7 @@ -

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the PRIVACT ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

+

The purpose of accounting of disclosures is to allow individuals to learn to whom their personally identifiable information has been disclosed, to provide a basis for subsequently advising recipients of any corrected or disputed personally identifiable information, and to provide an audit trail for subsequent reviews of organizational compliance with conditions for disclosures. For federal agencies, keeping an accounting of disclosures is required by the PRIVACT ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

Organizations can use any system for keeping notations of disclosures, if it can construct from such a system, a document listing of all disclosures along with the required information. Automated mechanisms can be used by organizations to determine when personally identifiable information is disclosed, including commercial services that provide notifications and alerts. Accounting of disclosures may also be used to help organizations verify compliance with applicable privacy statutes and policies governing the disclosure or dissemination of information and dissemination restrictions.

 @@ -48368,12 +46035,8 @@ - - + + @@ -48515,27 +46178,23 @@ - -

the roles of a Data Governance Body are defined;

- + +

the roles of a Data Governance Body are defined;

+ - -

the responsibilities of a Data Governance Body are defined;

- + +

the responsibilities of a Data Governance Body are defined;

+ - - + + @@ -48549,14 +46208,14 @@ -

Establish a Data Governance Body consisting of with .

+

Establish a Data Governance Body consisting of with .

 -

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the EVIDACT and policies set forth under OMB M-19-23.

+

A Data Governance Body can help ensure that the organization has coherent policies and the ability to balance the utility of data with security and privacy requirements. The Data Governance Body establishes policies, procedures, and standards that facilitate data governance so that data, including personally identifiable information, is effectively managed and maintained in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidance. Responsibilities can include developing and implementing guidelines that support data modeling, quality, integrity, and the de-identification needs of personally identifiable information across the information life cycle as well as reviewing and approving applications to release data outside of the organization, archiving the applications and the released data, and performing post-release monitoring to ensure that the assumptions made as part of the data release continue to be valid. Members include the chief information officer, senior agency information security officer, and senior agency official for privacy. Federal agencies are required to establish a Data Governance Body with specific roles and responsibilities in accordance with the EVIDACT and policies set forth under OMB M-19-23.

 -

a Data Governance Body consisting of with is established.

+

a Data Governance Body consisting of with is established.

 @@ -48582,12 +46241,8 @@ - - + + @@ -48608,7 +46263,7 @@ -

A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

+

A Data Integrity Board is the board of senior officials designated by the head of a federal agency and is responsible for, among other things, reviewing the agency’s proposals to conduct or participate in a matching program and conducting an annual review of all matching programs in which the agency has participated. As a general matter, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to Federal benefit programs or Federal personnel or payroll records. At a minimum, the Data Integrity Board includes the Inspector General of the agency, if any, and the senior agency official for privacy.

 @@ -48646,54 +46301,44 @@ Minimization of Personally Identifiable Information Used in Testing, Training, and Research - - - - + + + + - -

the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined;

- + +

the frequency for reviewing policies that address the use of personally identifiable information for internal testing, training, and research is defined;

+ - -

the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined;

- + +

the frequency for updating policies that address the use of personally identifiable information for internal testing, training, and research is defined;

+ - -

the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined;

- + +

the frequency for reviewing procedures that address the use of personally identifiable information for internal testing, training, and research is defined;

+ - -

the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined;

- + +

the frequency for updating procedures that address the use of personally identifiable information for internal testing, training, and research is defined;

+ - + @@ -48715,7 +46360,7 @@ -

Review and update policies and procedures .

+

Review and update policies and procedures .

 @@ -48808,19 +46453,19 @@ -

policies are reviewed ;

+

policies are reviewed ;

 -

policies are updated ;

+

policies are updated ;

 -

procedures are reviewed ;

+

procedures are reviewed ;

 -

procedures are updated .

+

procedures are updated .

 @@ -48858,50 +46503,44 @@ Complaint Management - - + + - -

the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined;

- + +

the time period in which complaints (including concerns or questions) from individuals are to be reviewed is defined;

+ - -

the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined;

- + +

the time period in which complaints (including concerns or questions) from individuals are to be addressed is defined;

+ - -

the time period for acknowledging the receipt of complaints is defined;

- + +

the time period for acknowledging the receipt of complaints is defined;

+ - -

the time period for responding to complaints is defined;

- + +

the time period for responding to complaints is defined;

+ - + @@ -48919,15 +46558,15 @@ -

Tracking mechanisms to ensure all complaints received are reviewed and addressed within ;

+

Tracking mechanisms to ensure all complaints received are reviewed and addressed within ;

 -

Acknowledgement of receipt of complaints, concerns, or questions from individuals within ; and

+

Acknowledgement of receipt of complaints, concerns, or questions from individuals within ; and

 -

Response to complaints, concerns, or questions from individuals within .

+

Response to complaints, concerns, or questions from individuals within .

 @@ -48962,20 +46601,20 @@ -

the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within ;

+

the complaint management process includes tracking mechanisms to ensure that all complaints are reviewed within ;

 -

the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within ;

+

the complaint management process includes tracking mechanisms to ensure that all complaints are addressed within ;

 -

the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within ;

+

the complaint management process includes acknowledging the receipt of complaints, concerns, or questions from individuals within ;

 -

the complaint management process includes responding to complaints, concerns, or questions from individuals within .

+

the complaint management process includes responding to complaints, concerns, or questions from individuals within .

 @@ -49013,40 +46652,38 @@ - -

privacy reports are defined;

- + +

privacy reports are defined;

+ - -

privacy oversight bodies are defined;

- + +

privacy oversight bodies are defined;

+ - -

officials responsible for monitoring privacy program compliance are defined;

- + +

officials responsible for monitoring privacy program compliance are defined;

+ - -

the frequency for reviewing and updating privacy reports is defined;

- + +

the frequency for reviewing and updating privacy reports is defined;

+ - + @@ -49055,21 +46692,19 @@ -

Develop and disseminate to:

+

Develop and disseminate to:

-

- to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

+

to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and

 -

- and other personnel with responsibility for monitoring privacy program compliance; and

+

and other personnel with responsibility for monitoring privacy program compliance; and

 -

Review and update privacy reports .

+

Review and update privacy reports .

 @@ -49079,17 +46714,16 @@ -

- are developed;

+

are developed;

-

the privacy reports are disseminated to to demonstrate accountability with statutory, regulatory, and policy privacy mandates;

+

the privacy reports are disseminated to to demonstrate accountability with statutory, regulatory, and policy privacy mandates;

 -

the privacy reports are disseminated to ;

+

the privacy reports are disseminated to ;

 @@ -49099,7 +46733,7 @@ -

the privacy reports are reviewed and updated .

+

the privacy reports are reviewed and updated .

 @@ -49131,27 +46765,23 @@ - -

the personnel to receive the results of risk framing activities is/are defined;

- + +

the personnel to receive the results of risk framing activities is/are defined;

+ - -

the frequency for reviewing and updating risk framing considerations is defined;

- + +

the frequency for reviewing and updating risk framing considerations is defined;

+ - - + + @@ -49181,11 +46811,11 @@ -

Distribute the results of risk framing activities to ; and

+

Distribute the results of risk framing activities to ; and

 -

Review and update risk framing considerations .

+

Review and update risk framing considerations .

 @@ -49243,11 +46873,11 @@ -

the results of risk framing activities are distributed to ;

+

the results of risk framing activities are distributed to ;

 -

risk framing considerations are reviewed and updated .

+

risk framing considerations are reviewed and updated .

 @@ -49288,9 +46918,7 @@ - + @@ -49368,19 +46996,15 @@ - -

the frequency for reviewing and updating the supply chain risk management strategy is defined;

- + +

the frequency for reviewing and updating the supply chain risk management strategy is defined;

+ - - + + @@ -49415,11 +47039,11 @@ -

Review and update the supply chain risk management strategy on or as required, to address organizational changes.

+

Review and update the supply chain risk management strategy on or as required, to address organizational changes.

 -

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-2 ) is implemented at the system level.

+

An organization-wide supply chain risk management strategy includes an unambiguous expression of the supply chain risk appetite and tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the supply chain risk management strategy, and the associated roles and responsibilities. Supply chain risk management includes considerations of the security and privacy risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services. The supply chain risk management strategy can be incorporated into the organization’s overarching risk management strategy and can guide and inform supply chain policies and system-level supply chain risk management plans. In addition, the use of a risk executive function can facilitate a consistent, organization-wide application of the supply chain risk management strategy. The supply chain risk management strategy is implemented at the organization and mission/business levels, whereas the supply chain risk management plan (see SR-2 ) is implemented at the system level.

 @@ -49484,7 +47108,7 @@ -

the supply chain risk management strategy is reviewed and updated or as required to address organizational changes.

+

the supply chain risk management strategy is reviewed and updated or as required to address organizational changes.

 @@ -49512,12 +47136,8 @@ - - + + @@ -49525,7 +47145,7 @@

Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.

 -

The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see SR-6 ) and supply chain risk assessment processes (see RA-3(1) ). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

+

The identification and prioritization of suppliers of critical or mission-essential technologies, products, and services is paramount to the mission/business success of organizations. The assessment of suppliers is conducted using supplier reviews (see SR-6 ) and supply chain risk assessment processes (see RA-3(1) ). An analysis of supply chain risk can help an organization identify systems or components for which additional supply chain risk mitigations are required.

 @@ -49579,83 +47199,73 @@ Continuous Monitoring Strategy - - + + - - + + - -

the metrics for organization-wide continuous monitoring are defined;

- + +

the metrics for organization-wide continuous monitoring are defined;

+ - -

the frequency for monitoring is defined;

- + +

the frequency for monitoring is defined;

+ - -

the frequency for assessing control effectiveness is defined;

- + +

the frequency for assessing control effectiveness is defined;

+ - -

the personnel or roles for reporting the security status of organizational systems to is/are defined;

- + +

the personnel or roles for reporting the security status of organizational systems to is/are defined;

+ - -

the personnel or roles for reporting the privacy status of organizational systems to is/are defined;

- + +

the personnel or roles for reporting the privacy status of organizational systems to is/are defined;

+ - -

the frequency at which to report the security status of organizational systems is defined;

- + +

the frequency at which to report the security status of organizational systems is defined;

+ - -

the frequency at which to report the privacy status of organizational systems is defined;

- + +

the frequency at which to report the privacy status of organizational systems is defined;

+ - + @@ -49714,11 +47324,11 @@

Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include:

-

Establishing the following organization-wide metrics to be monitored: ;

+

Establishing the following organization-wide metrics to be monitored: ;

 -

Establishing for monitoring and for assessment of control effectiveness;

+

Establishing for monitoring and for assessment of control effectiveness;

 @@ -49734,34 +47344,33 @@ -

Reporting the security and privacy status of organizational systems to - .

+

Reporting the security and privacy status of organizational systems to .

 -

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, SI-4.

+

Continuous monitoring at the organization level facilitates ongoing awareness of the security and privacy posture across the organization to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and monitor their controls and risks at a frequency sufficient to support risk-based decisions. Different types of controls may require different monitoring frequencies. The results of continuous monitoring guide and inform risk response actions by organizations. Continuous monitoring programs allow organizations to maintain the authorizations of systems and common controls in highly dynamic environments of operation with changing mission and business needs, threats, vulnerabilities, and technologies. Having access to security- and privacy-related information on a continuing basis through reports and dashboards gives organizational officials the capability to make effective, timely, and informed risk management decisions, including ongoing authorization decisions. To further facilitate security and privacy risk management, organizations consider aligning organization-defined monitoring metrics with organizational risk tolerance as defined in the risk management strategy. Monitoring requirements, including the need for monitoring, may be referenced in other controls and control enhancements such as, AC-2g, AC-2(7), AC-2(12)(a), AC-2(7)(b), AC-2(7)(c), AC-17(1), AT-4a, AU-13, AU-13(1), AU-13(2), CA-7, CM-3f, CM-6d, CM-11c, IR-5, MA-2b, MA-3a, MA-4a, PE-3d, PE-6, PE-14b, PE-16, PE-20, PM-6, PM-23, PS-7e, SA-9c, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b, SI-4.

an organization-wide continuous monitoring strategy is developed;

-

continuous monitoring programs are implemented that include establishing to be monitored;

+

continuous monitoring programs are implemented that include establishing to be monitored;

 -

continuous monitoring programs are implemented that establish for monitoring;

+

continuous monitoring programs are implemented that establish for monitoring;

 -

continuous monitoring programs are implemented that establish for assessment of control effectiveness;

+

continuous monitoring programs are implemented that establish for assessment of control effectiveness;

 -

continuous monitoring programs are implemented that include monitoring on an ongoing basis in accordance with the continuous monitoring strategy;

+

continuous monitoring programs are implemented that include monitoring on an ongoing basis in accordance with the continuous monitoring strategy;

 @@ -49789,13 +47398,11 @@ -

continuous monitoring programs are implemented that include reporting the security status of organizational systems to - ;

+

continuous monitoring programs are implemented that include reporting the security status of organizational systems to ;

 -

continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to - .

+

continuous monitoring programs are implemented that include reporting the privacy status of organizational systems to .

 @@ -49842,24 +47449,18 @@ Purposing - + - -

the systems or system components supporting mission-essential services or functions are defined;

- + +

the systems or system components supporting mission-essential services or functions are defined;

+ - - + + @@ -49867,15 +47468,14 @@ -

Analyze supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

+

Analyze supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.

Systems are designed to support a specific mission or business function. However, over time, systems and system components may be used to support services and functions that are outside of the scope of the intended mission or business functions. This can result in exposing information resources to unintended environments and uses that can significantly increase threat exposure. In doing so, the systems are more vulnerable to compromise, which can ultimately impact the services and functions for which they were intended. This is especially impactful for mission-essential services and functions. By analyzing resource use, organizations can identify such potential exposures.

 -

- supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.

+

supporting mission-essential services or functions are analyzed to ensure that the information resources are being used in a manner that is consistent with their intended purpose.

 @@ -49903,27 +47503,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the personnel security policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the personnel security policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the personnel security procedures are to be disseminated is/are defined;

+ @@ -49938,51 +47534,47 @@ - -

an official to manage the personnel security policy and procedures is defined;

- + +

an official to manage the personnel security policy and procedures is defined;

+ - -

the frequency at which the current personnel security policy is reviewed and updated is defined;

- + +

the frequency at which the current personnel security policy is reviewed and updated is defined;

+ - -

events that would require the current personnel security policy to be reviewed and updated are defined;

- + +

events that would require the current personnel security policy to be reviewed and updated are defined;

+ - -

the frequency at which the current personnel security procedures are reviewed and updated is defined;

- + +

the frequency at which the current personnel security procedures are reviewed and updated is defined;

+ - -

events that would require the personnel security procedures to be reviewed and updated are defined;

- + +

events that would require the personnel security procedures to be reviewed and updated are defined;

+ - - + + @@ -49993,11 +47585,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- personnel security policy that:

+

personnel security policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -50014,18 +47605,18 @@ -

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the personnel security policy and procedures; and

Review and update the current personnel security:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -50042,7 +47633,7 @@ -

the personnel security policy is disseminated to ;

+

the personnel security policy is disseminated to ;

 @@ -50050,7 +47641,7 @@ -

the personnel security procedures are disseminated to ;

+

the personnel security procedures are disseminated to ;

 @@ -50058,42 +47649,42 @@ -

the personnel security policy addresses purpose;

+

the personnel security policy addresses purpose;

 -

the personnel security policy addresses scope;

+

the personnel security policy addresses scope;

 -

the personnel security policy addresses roles;

+

the personnel security policy addresses roles;

 -

the personnel security policy addresses responsibilities;

+

the personnel security policy addresses responsibilities;

 -

the personnel security policy addresses management commitment;

+

the personnel security policy addresses management commitment;

 -

the personnel security policy addresses coordination among organizational entities;

+

the personnel security policy addresses coordination among organizational entities;

 -

the personnel security policy addresses compliance;

+

the personnel security policy addresses compliance;

 -

the personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the personnel security policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the personnel security policy and procedures;

 @@ -50101,22 +47692,22 @@ -

the current personnel security policy is reviewed and updated ;

+

the current personnel security policy is reviewed and updated ;

 -

the current personnel security policy is reviewed and updated following ;

+

the current personnel security policy is reviewed and updated following ;

 -

the current personnel security procedures are reviewed and updated ;

+

the current personnel security procedures are reviewed and updated ;

 -

the current personnel security procedures are reviewed and updated following .

+

the current personnel security procedures are reviewed and updated following .

 @@ -50149,16 +47740,14 @@ - -

the frequency at which to review and update position risk designations is defined;

- + +

the frequency at which to review and update position risk designations is defined;

+ - + @@ -50182,7 +47771,7 @@ -

Review and update position risk designations .

+

Review and update position risk designations .

 @@ -50200,7 +47789,7 @@ -

position risk designations are reviewed and updated .

+

position risk designations are reviewed and updated .

 @@ -50236,34 +47825,28 @@ Personnel Screening - - + + - -

conditions requiring rescreening of individuals are defined;

- + +

conditions requiring rescreening of individuals are defined;

+ - -

the frequency of rescreening individuals where it is so indicated is defined;

- + +

the frequency of rescreening individuals where it is so indicated is defined;

+ - + @@ -50289,7 +47872,7 @@ -

Rescreen individuals in accordance with .

+

Rescreen individuals in accordance with .

 @@ -50305,11 +47888,11 @@ -

individuals are rescreened in accordance with ;

+

individuals are rescreened in accordance with ;

 -

where rescreening is so indicated, individuals are rescreened .

+

where rescreening is so indicated, individuals are rescreened .

 @@ -50344,9 +47927,7 @@ - + @@ -50354,7 +47935,7 @@

Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.

 -

Classified information is the most sensitive information that the Federal Government processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see AC-3 ) and flow controls (see AC-4).

+

Classified information is the most sensitive information that the Federal Government processes, stores, or transmits. It is imperative that individuals have the requisite security clearances and system access authorizations prior to gaining access to such information. Access authorizations are enforced by system access controls (see AC-3 ) and flow controls (see AC-4).

 @@ -50399,9 +47980,7 @@ - + @@ -50449,16 +48028,14 @@ - -

additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;

- + +

additional personnel screening criteria to be satisfied for individuals accessing a system processing, storing, or transmitting information requiring special protection are defined;

+ - +

Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection:

@@ -50468,7 +48045,7 @@ -

Satisfy .

+

Satisfy .

 @@ -50482,7 +48059,7 @@ -

individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy .

+

individuals accessing a system processing, storing, or transmitting information requiring special protection satisfy .

 @@ -50521,34 +48098,32 @@ - -

information types that are processed, stored, or transmitted by a system that require individuals accessing the system to meet are defined;

- + +

information types that are processed, stored, or transmitted by a system that require individuals accessing the system to meet are defined;

+ - -

citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information are defined;

- + +

citizenship requirements to be met by individuals to access a system processing, storing, or transmitting information are defined;

+ - + -

Verify that individuals accessing a system processing, storing, or transmitting meet .

+

Verify that individuals accessing a system processing, storing, or transmitting meet .

None.

 -

individuals accessing a system processing, storing, or transmitting meet .

+

individuals accessing a system processing, storing, or transmitting meet .

 @@ -50587,24 +48162,22 @@ - -

a time period within which to disable system access is defined;

- + +

a time period within which to disable system access is defined;

+ - -

information security topics to be discussed when conducting exit interviews are defined;

- + +

information security topics to be discussed when conducting exit interviews are defined;

+ - + @@ -50615,7 +48188,7 @@

Upon termination of individual employment:

-

Disable system access within ;

+

Disable system access within ;

 @@ -50623,7 +48196,7 @@ -

Conduct exit interviews that include a discussion of ;

+

Conduct exit interviews that include a discussion of ;

 @@ -50641,7 +48214,7 @@ -

upon termination of individual employment, system access is disabled within ;

+

upon termination of individual employment, system access is disabled within ;

 @@ -50649,7 +48222,7 @@ -

upon termination of individual employment, exit interviews that include a discussion of are conducted;

+

upon termination of individual employment, exit interviews that include a discussion of are conducted;

 @@ -50698,9 +48271,7 @@ - + @@ -50760,9 +48331,9 @@ - -

automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined;

- + +

automated mechanisms to notify personnel or roles of individual termination actions and/or to disable access to system resources are defined;

+ @@ -50776,27 +48347,24 @@ - -

personnel or roles to be notified upon termination of an individual is/are defined (if selected);

- + +

personnel or roles to be notified upon termination of an individual is/are defined (if selected);

+ - + -

Use to .

+

Use to .

In organizations with many employees, not all personnel who need to know about termination actions receive the appropriate notifications, or if such notifications are received, they may not occur in a timely manner. Automated mechanisms can be used to send automatic alerts or notifications to organizational personnel or roles when individuals are terminated. Such automatic alerts or notifications can be conveyed in a variety of ways, including via telephone, electronic mail, text message, or websites. Automated mechanisms can also be employed to quickly and thoroughly disable access to system resources after an employee is terminated.

 -

- are used to .

+

are used to .

 @@ -50836,40 +48404,38 @@ - -

transfer or reassignment actions to be initiated following transfer or reassignment are defined;

- + +

transfer or reassignment actions to be initiated following transfer or reassignment are defined;

+ - -

the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;

- + +

the time period within which transfer or reassignment actions must occur following transfer or reassignment is defined;

+ - -

personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;

- + +

personnel or roles to be notified when individuals are reassigned or transferred to other positions within the organization is/are defined;

+ - -

time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;

- + +

time period within which to notify organization-defined personnel or roles when individuals are reassigned or transferred to other positions within the organization is defined;

+ - + @@ -50883,7 +48449,7 @@ -

Initiate within ;

+

Initiate within ;

 @@ -50891,7 +48457,7 @@ -

Notify within .

+

Notify within .

 @@ -50905,8 +48471,7 @@ -

- are initiated within ;

+

are initiated within ;

 @@ -50914,8 +48479,7 @@ -

- are notified within .

+

are notified within .

 @@ -50956,27 +48520,23 @@ - -

the frequency at which to review and update access agreements is defined;

- + +

the frequency at which to review and update access agreements is defined;

+ - -

the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

- + +

the frequency at which to re-sign access agreements to maintain access to organizational information is defined;

+ - - + + @@ -50994,7 +48554,7 @@ -

Review and update the access agreements ; and

+

Review and update the access agreements ; and

 @@ -51005,7 +48565,7 @@ -

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+

Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

 @@ -51020,7 +48580,7 @@ -

the access agreements are reviewed and updated ;

+

the access agreements are reviewed and updated ;

 @@ -51030,7 +48590,7 @@ -

individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

+

individuals requiring access to organizational information and systems re-sign access agreements to maintain access to organizational systems when access agreements have been updated or .

 @@ -51080,12 +48640,8 @@ - - + +

Verify that access to classified information requiring special protection is granted only to individuals who:

@@ -51156,12 +48712,8 @@ - - + + @@ -51226,27 +48778,23 @@ - -

personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;

- + +

personnel or roles to be notified of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is/are defined;

+ - -

time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;

- + +

time period within which third-party providers are required to notify organization-defined personnel or roles of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges is defined;

+ - - + + @@ -51276,7 +48824,7 @@ -

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

+

Require external providers to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within ; and

 @@ -51302,7 +48850,7 @@ -

external providers are required to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within ;

+

external providers are required to notify of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges or who have system privileges within ;

 @@ -51349,24 +48897,22 @@ - -

personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;

- + +

personnel or roles to be notified when a formal employee sanctions process is initiated is/are defined;

+ - -

the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;

- + +

the time period within which organization-defined personnel or roles must be notified when a formal employee sanctions process is initiated is defined;

+ - + @@ -51378,7 +48924,7 @@ -

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+

Notify within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

 @@ -51392,8 +48938,7 @@ -

- is/are notified within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

+

is/are notified within when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction.

 @@ -51435,9 +48980,7 @@ - +

Incorporate security and privacy roles and responsibilities into organizational position descriptions.

@@ -51493,27 +49036,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the personally identifiable information processing and transparency policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the personally identifiable information processing and transparency procedures are to be disseminated is/are defined;

+ @@ -51528,60 +49067,55 @@ - -

an official to manage the personally identifiable information processing and transparency policy and procedures is defined;

- + +

an official to manage the personally identifiable information processing and transparency policy and procedures is defined;

+ - -

the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;

- + +

the frequency at which the current personally identifiable information processing and transparency policy is reviewed and updated is defined;

+ - -

events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;

- + +

events that would require the current personally identifiable information processing and transparency policy to be reviewed and updated are defined;

+ - -

the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;

- + +

the frequency at which the current personally identifiable information processing and transparency procedures are reviewed and updated is defined;

+ - -

events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;

- + +

events that would require the personally identifiable information processing and transparency procedures to be reviewed and updated are defined;

+ - - + + -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- personally identifiable information processing and transparency policy that:

+

personally identifiable information processing and transparency policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -51598,18 +49132,18 @@ -

Designate an to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures; and

Review and update the current personally identifiable information processing and transparency:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -51626,7 +49160,7 @@ -

the personally identifiable information processing and transparency policy is disseminated to ;

+

the personally identifiable information processing and transparency policy is disseminated to ;

 @@ -51634,7 +49168,7 @@ -

the personally identifiable information processing and transparency procedures are disseminated to ;

+

the personally identifiable information processing and transparency procedures are disseminated to ;

 @@ -51642,42 +49176,42 @@ -

the personally identifiable information processing and transparency policy addresses purpose;

+

the personally identifiable information processing and transparency policy addresses purpose;

 -

the personally identifiable information processing and transparency policy addresses scope;

+

the personally identifiable information processing and transparency policy addresses scope;

 -

the personally identifiable information processing and transparency policy addresses roles;

+

the personally identifiable information processing and transparency policy addresses roles;

 -

the personally identifiable information processing and transparency policy addresses responsibilities;

+

the personally identifiable information processing and transparency policy addresses responsibilities;

 -

the personally identifiable information processing and transparency policy addresses management commitment;

+

the personally identifiable information processing and transparency policy addresses management commitment;

 -

the personally identifiable information processing and transparency policy addresses coordination among organizational entities;

+

the personally identifiable information processing and transparency policy addresses coordination among organizational entities;

 -

the personally identifiable information processing and transparency policy addresses compliance;

+

the personally identifiable information processing and transparency policy addresses compliance;

 -

the personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the personally identifiable information processing and transparency policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the personally identifiable information processing and transparency policy and procedures;

 @@ -51685,22 +49219,22 @@ -

the current personally identifiable information processing and transparency policy is reviewed and updated ;

+

the current personally identifiable information processing and transparency policy is reviewed and updated ;

 -

the current personally identifiable information processing and transparency policy is reviewed and updated following ;

+

the current personally identifiable information processing and transparency policy is reviewed and updated following ;

 -

the current personally identifiable information processing and transparency procedures are reviewed and updated ;

+

the current personally identifiable information processing and transparency procedures are reviewed and updated ;

 -

the current personally identifiable information processing and transparency procedures are reviewed and updated following .

+

the current personally identifiable information processing and transparency procedures are reviewed and updated following .

 @@ -51730,35 +49264,31 @@ - -

the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;

- + +

the authority to permit the processing (defined in PT-02_ODP[02]) of personally identifiable information is defined;

+ - -

the type of processing of personally identifiable information is defined;

- + +

the type of processing of personally identifiable information is defined;

+ - -

the type of processing of personally identifiable information to be restricted is defined;

- + +

the type of processing of personally identifiable information to be restricted is defined;

+ - - + + @@ -51779,28 +49309,28 @@ -

Determine and document the that permits the of personally identifiable information; and

+

Determine and document the that permits the of personally identifiable information; and

 -

Restrict the of personally identifiable information to only that which is authorized.

+

Restrict the of personally identifiable information to only that which is authorized.

The processing of personally identifiable information is an operation or set of operations that the information system or organization performs with respect to personally identifiable information across the information life cycle. Processing includes but is not limited to creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Processing operations also include logging, generation, and transformation, as well as analysis techniques, such as data mining.

Organizations may be subject to laws, executive orders, directives, regulations, or policies that establish the organization’s authority and thereby limit certain types of processing of personally identifiable information or establish other requirements related to the processing. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding such authority, particularly if the organization is subject to multiple jurisdictions or sources of authority. For organizations whose processing is not determined according to legal authorities, the organization’s policies and determinations govern how they process personally identifiable information. While processing of personally identifiable information may be legally permissible, privacy risks may still arise. Privacy risk assessments can identify the privacy risks associated with the authorized processing of personally identifiable information and support solutions to manage such risks.

-

Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, PRIVACT statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.

+

Organizations consider applicable requirements and organizational policies to determine how to document this authority. For federal agencies, the authority to process personally identifiable information is documented in privacy policies and notices, system of records notices, privacy impact assessments, PRIVACT statements, computer matching agreements and notices, contracts, information sharing agreements, memoranda of understanding, and other documentation.

Organizations take steps to ensure that personally identifiable information is only processed for authorized purposes, including training organizational personnel on the authorized processing of personally identifiable information and monitoring and auditing organizational use of personally identifiable information.

 -

the that permits the of personally identifiable information is determined and documented;

+

the that permits the of personally identifiable information is determined and documented;

 -

the of personally identifiable information is restricted to only that which is authorized.

+

the of personally identifiable information is restricted to only that which is authorized.

 @@ -51834,27 +49364,23 @@ - -

the authorized processing of personally identifiable information is defined;

- + +

the authorized processing of personally identifiable information is defined;

+ - -

elements of personally identifiable information to be tagged are defined;

- + +

elements of personally identifiable information to be tagged are defined;

+ - - + + @@ -51868,14 +49394,14 @@ -

Attach data tags containing to .

+

Attach data tags containing to .

Data tags support the tracking and enforcement of authorized processing by conveying the types of processing that are authorized along with the relevant elements of personally identifiable information throughout the system. Data tags may also support the use of automated tools.

 -

data tags containing are attached to .

+

data tags containing are attached to .

 @@ -51914,19 +49440,15 @@ - -

automated mechanisms used to manage enforcement of the authorized processing of personally identifiable information are defined;

- + +

automated mechanisms used to manage enforcement of the authorized processing of personally identifiable information are defined;

+ - - + + @@ -51939,14 +49461,14 @@ -

Manage enforcement of the authorized processing of personally identifiable information using .

+

Manage enforcement of the authorized processing of personally identifiable information using .

Automated mechanisms augment verification that only authorized processing is occurring.

 -

enforcement of the authorized processing of personally identifiable information is managed using .

+

enforcement of the authorized processing of personally identifiable information is managed using .

 @@ -51981,40 +49503,38 @@ - -

the purpose(s) for processing personally identifiable information is/are defined;

- + +

the purpose(s) for processing personally identifiable information is/are defined;

+ - -

the processing of personally identifiable information to be restricted is defined;

- + +

the processing of personally identifiable information to be restricted is defined;

+ - -

mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;

- + +

mechanisms to be implemented for ensuring any changes in the processing of personally identifiable information are made in accordance with requirements are defined;

+ - -

requirements for changing the processing of personally identifiable information are defined;

- + +

requirements for changing the processing of personally identifiable information are defined;

+ - + @@ -52036,7 +49556,7 @@ -

Identify and document the for processing personally identifiable information;

+

Identify and document the for processing personally identifiable information;

 @@ -52044,15 +49564,15 @@ -

Restrict the of personally identifiable information to only that which is compatible with the identified purpose(s); and

+

Restrict the of personally identifiable information to only that which is compatible with the identified purpose(s); and

 -

Monitor changes in processing personally identifiable information and implement to ensure that any changes are made in accordance with .

+

Monitor changes in processing personally identifiable information and implement to ensure that any changes are made in accordance with .

 -

Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, PRIVACT statements, computer matching notices, and other applicable Federal Register notices.

+

Identifying and documenting the purpose for processing provides organizations with a basis for understanding why personally identifiable information may be processed. The term process includes every step of the information life cycle, including creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal. Identifying and documenting the purpose of processing is a prerequisite to enabling owners and operators of the system and individuals whose information is processed by the system to understand how the information will be processed. This enables individuals to make informed decisions about their engagement with information systems and organizations and to manage their privacy interests. Once the specific processing purpose has been identified, the purpose is described in the organization’s privacy notices, policies, and any related privacy compliance documentation, including privacy impact assessments, system of records notices, PRIVACT statements, computer matching notices, and other applicable Federal Register notices.

Organizations take steps to help ensure that personally identifiable information is processed only for identified purposes, including training organizational personnel and monitoring and auditing organizational processing of personally identifiable information.

Organizations monitor for changes in personally identifiable information processing. Organizational personnel consult with the senior agency official for privacy and legal counsel to ensure that any new purposes that arise from changes in processing are compatible with the purpose for which the information was collected, or if the new purpose is not compatible, implement mechanisms in accordance with defined requirements to allow for the new processing, if appropriate. Mechanisms may include obtaining consent from individuals, revising privacy policies, or other measures to manage privacy risks that arise from changes in personally identifiable information processing purposes.

 @@ -52060,7 +49580,7 @@ -

the for processing personally identifiable information is/are identified and documented;

+

the for processing personally identifiable information is/are identified and documented;

 @@ -52075,7 +49595,7 @@ -

the of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);

+

the of personally identifiable information are restricted to only that which is compatible with the identified purpose(s);

 @@ -52085,8 +49605,7 @@ -

- are implemented to ensure that any changes are made in accordance with .

+

are implemented to ensure that any changes are made in accordance with .

 @@ -52129,27 +49648,23 @@ - -

processing purposes to be contained in data tags are defined;

- + +

processing purposes to be contained in data tags are defined;

+ - -

elements of personally identifiable information to be tagged are defined;

- + +

elements of personally identifiable information to be tagged are defined;

+ - - + + @@ -52161,14 +49676,14 @@ -

Attach data tags containing the following purposes to : .

+

Attach data tags containing the following purposes to : .

Data tags support the tracking of processing purposes by conveying the purposes along with the relevant elements of personally identifiable information throughout the system. By conveying the processing purposes in a data tag along with the personally identifiable information as the information transits a system, a system owner or operator can identify whether a change in processing would be compatible with the identified and documented purposes. Data tags may also support the use of automated tools.

 -

data tags containing are attached to .

+

data tags containing are attached to .

 @@ -52206,19 +49721,15 @@ - -

automated mechanisms for tracking the processing purposes of personally identifiable information are defined;

- + +

automated mechanisms for tracking the processing purposes of personally identifiable information are defined;

+ - - + + @@ -52230,14 +49741,14 @@ -

Track processing purposes of personally identifiable information using .

+

Track processing purposes of personally identifiable information using .

Automated mechanisms augment tracking of the processing purposes.

 -

the processing purposes of personally identifiable information are tracked using .

+

the processing purposes of personally identifiable information are tracked using .

 @@ -52273,16 +49784,14 @@ - -

the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined;

- + +

the tools or mechanisms to be implemented for individuals to consent to the processing of their personally identifiable information are defined;

+ - + @@ -52290,14 +49799,14 @@ -

Implement for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

+

Implement for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

Consent allows individuals to participate in making decisions about the processing of their information and transfers some of the risk that arises from the processing of personally identifiable information from the organization to an individual. Consent may be required by applicable laws, executive orders, directives, regulations, policies, standards, or guidelines. Otherwise, when selecting consent as a control, organizations consider whether individuals can be reasonably expected to understand and accept the privacy risks that arise from their authorization. Organizations consider whether other controls may more effectively mitigate privacy risk either alone or in conjunction with consent. Organizations also consider any demographic or contextual factors that may influence the understanding or behavior of individuals with respect to the processing carried out by the system or organization. When soliciting consent from individuals, organizations consider the appropriate mechanism for obtaining consent, including the type of consent (e.g., opt-in, opt-out), how to properly authenticate and identity proof individuals and how to obtain consent through electronic means. In addition, organizations consider providing a mechanism for individuals to revoke consent once it has been provided, as appropriate. Finally, organizations consider usability factors to help individuals understand the risks being accepted when providing consent, including the use of plain language and avoiding technical jargon.

 -

the are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

+

the are implemented for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.

 @@ -52335,28 +49844,25 @@ - -

tailoring mechanisms for processing selected elements of personally identifiable information permissions are defined;

- + +

tailoring mechanisms for processing selected elements of personally identifiable information permissions are defined;

+ - + -

Provide to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

+

Provide to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

While some processing may be necessary for the basic functionality of the product or service, other processing may not. In these circumstances, organizations allow individuals to select how specific personally identifiable information elements may be processed. More tailored consent may help reduce privacy risk, increase individual satisfaction, and avoid adverse behaviors, such as abandonment of the product or service.

 -

- are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

+

are provided to allow individuals to tailor processing permissions to selected elements of personally identifiable information.

 @@ -52395,44 +49901,41 @@ - -

consent mechanisms to be presented to individuals are defined;

- + +

consent mechanisms to be presented to individuals are defined;

+ - -

the frequency at which to present consent mechanisms to individuals is defined;

- + +

the frequency at which to present consent mechanisms to individuals is defined;

+ - -

personally identifiable information processing to be presented in conjunction with organization-defined consent mechanisms is defined;

- + +

personally identifiable information processing to be presented in conjunction with organization-defined consent mechanisms is defined;

+ - + -

Present to individuals at and in conjunction with .

+

Present to individuals at and in conjunction with .

Just-in-time consent enables individuals to participate in how their personally identifiable information is being processed at the time or in conjunction with specific types of data processing when such participation may be most useful to the individual. Individual assumptions about how personally identifiable information is being processed might not be accurate or reliable if time has passed since the individual last gave consent or the type of processing creates significant privacy risk. Organizations use discretion to determine when to use just-in-time consent and may use supporting information on demographics, focus groups, or surveys to learn more about individuals’ privacy interests and concerns.

 -

- are presented to individuals and in conjunction with .

+

are presented to individuals and in conjunction with .

 @@ -52469,27 +49972,25 @@ - -

the tools or mechanisms to be implemented for revoking consent to the processing of personally identifiable information are defined;

- + +

the tools or mechanisms to be implemented for revoking consent to the processing of personally identifiable information are defined;

+ - + -

Implement for individuals to revoke consent to the processing of their personally identifiable information.

+

Implement for individuals to revoke consent to the processing of their personally identifiable information.

Revocation of consent enables individuals to exercise control over their initial consent decision when circumstances change. Organizations consider usability factors in enabling easy-to-use revocation capabilities.

 -

the are implemented for individuals to revoke consent to the processing of their personally identifiable information.

+

the are implemented for individuals to revoke consent to the processing of their personally identifiable information.

 @@ -52527,24 +50028,22 @@ - -

the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;

- + +

the frequency at which a notice is provided to individuals after initial interaction with an organization is defined;

+ - -

information to be included with the notice about the processing of personally identifiable information is defined;

- + +

information to be included with the notice about the processing of personally identifiable information is defined;

+ - + @@ -52561,7 +50060,7 @@

Provide notice to individuals about the processing of personally identifiable information that:

-

Is available to individuals upon first interacting with an organization, and subsequently at ;

+

Is available to individuals upon first interacting with an organization, and subsequently at ;

 @@ -52577,7 +50076,7 @@ -

Includes .

+

Includes .

 @@ -52594,7 +50093,7 @@ -

a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals ;

+

a notice to individuals about the processing of personally identifiable information is provided such that the notice is subsequently available to individuals ;

 @@ -52611,7 +50110,7 @@ -

a notice to individuals about the processing of personally identifiable information which includes is provided.

+

a notice to individuals about the processing of personally identifiable information which includes is provided.

 @@ -52647,27 +50146,25 @@ - -

the frequency at which to present a notice of personally identifiable information processing is defined;

- + +

the frequency at which to present a notice of personally identifiable information processing is defined;

+ - + -

Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or .

+

Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data action, or .

Just-in-time notices inform individuals of how organizations process their personally identifiable information at a time when such notices may be most useful to the individuals. Individual assumptions about how personally identifiable information will be processed might not be accurate or reliable if time has passed since the organization last presented notice or the circumstances under which the individual was last provided notice have changed. A just-in-time notice can explain data actions that organizations have identified as potentially giving rise to greater privacy risk for individuals. Organizations can use a just-in-time notice to update or remind individuals about specific data actions as they occur or highlight specific changes that occurred since last presenting notice. A just-in-time notice can be used in conjunction with just-in-time consent to explain what will occur if consent is declined. Organizations use discretion to determine when to use a just-in-time notice and may use supporting information on user demographics, focus groups, or surveys to learn about users’ privacy interests and concerns.

 -

a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or .

+

a notice of personally identifiable information processing is presented to individuals at a time and location where the individual provides personally identifiable information, in conjunction with a data action, or .

 @@ -52701,18 +50198,15 @@ - +

Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by individuals.

 -

If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a PRIVACT statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a PRIVACT statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.

-

- PRIVACT statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the PRIVACT.

+

If a federal agency asks individuals to supply information that will become part of a system of records, the agency is required to provide a PRIVACT statement on the form used to collect the information or on a separate form that can be retained by the individual. The agency provides a PRIVACT statement in such circumstances regardless of whether the information will be collected on a paper or electronic form, on a website, on a mobile application, over the telephone, or through some other medium. This requirement ensures that the individual is provided with sufficient information about the request for information to make an informed decision on whether or not to respond.

+

PRIVACT statements provide formal notice to individuals of the authority that authorizes the solicitation of the information; whether providing the information is mandatory or voluntary; the principal purpose(s) for which the information is to be used; the published routine uses to which the information is subject; the effects on the individual, if any, of not providing all or any part of the information requested; and an appropriate citation and link to the relevant system of records notice. Federal agency personnel consult with the senior agency official for privacy and legal counsel regarding the notice provisions of the PRIVACT.

 @@ -52752,9 +50246,7 @@ - + @@ -52778,7 +50270,7 @@ -

The PRIVACT requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a PRIVACT system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in OMB A-108.

+

The PRIVACT requires that federal agencies publish a system of records notice in the Federal Register upon the establishment and/or modification of a PRIVACT system of records. As a general matter, a system of records notice is required when an agency maintains a group of any records under the control of the agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier. The notice describes the existence and character of the system and identifies the system of records, the purpose(s) of the system, the authority for maintenance of the records, the categories of records maintained in the system, the categories of individuals about whom records are maintained, the routine uses to which the records are subject, and additional details about the system as described in OMB A-108.

 @@ -52835,26 +50327,24 @@ - -

the frequency at which to review all routine uses published in the system of records notice is defined;

- + +

the frequency at which to review all routine uses published in the system of records notice is defined;

+ - + -

Review all routine uses published in the system of records notice at to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.

+

Review all routine uses published in the system of records notice at to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.

 -

A PRIVACT routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the PRIVACT prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The PRIVACT requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice.

+

A PRIVACT routine use is a particular kind of disclosure of a record outside of the federal agency maintaining the system of records. A routine use is an exception to the PRIVACT prohibition on the disclosure of a record in a system of records without the prior written consent of the individual to whom the record pertains. To qualify as a routine use, the disclosure must be for a purpose that is compatible with the purpose for which the information was originally collected. The PRIVACT requires agencies to describe each routine use of the records maintained in the system of records, including the categories of users of the records and the purpose of the use. Agencies may only establish routine uses by explicitly publishing them in the relevant system of records notice.

 -

all routine uses published in the system of records notice are reviewed to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.

+

all routine uses published in the system of records notice are reviewed to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the information was collected.

 @@ -52889,36 +50379,34 @@ - -

the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;

- + +

the frequency at which to review all Privacy Act exemptions claimed for the system of records is defined;

+ - + -

Review all Privacy Act exemptions claimed for the system of records at to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.

+

Review all Privacy Act exemptions claimed for the system of records at to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulations, and that they are accurately described in the system of records notice.

 -

The PRIVACT includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the PRIVACT . At a minimum, organizations’ PRIVACT exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the PRIVACT from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate.

+

The PRIVACT includes two sets of provisions that allow federal agencies to claim exemptions from certain requirements in the statute. In certain circumstances, these provisions allow agencies to promulgate regulations to exempt a system of records from select provisions of the PRIVACT . At a minimum, organizations’ PRIVACT exemption regulations include the specific name(s) of any system(s) of records that will be exempt, the specific provisions of the PRIVACT from which the system(s) of records is to be exempted, the reasons for the exemption, and an explanation for why the exemption is both necessary and appropriate.

 -

all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they remain appropriate and necessary in accordance with law;

+

all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they remain appropriate and necessary in accordance with law;

 -

all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they have been promulgated as regulations;

+

all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they have been promulgated as regulations;

 -

all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they are accurately described in the system of records notice.

+

all Privacy Act exemptions claimed for the system of records are reviewed to ensure that they are accurately described in the system of records notice.

 @@ -52956,16 +50444,14 @@ - -

processing conditions to be applied for specific categories of personally identifiable information are defined;

- + +

processing conditions to be applied for specific categories of personally identifiable information are defined;

+ - + @@ -52975,15 +50461,14 @@ -

Apply for specific categories of personally identifiable information.

+

Apply for specific categories of personally identifiable information.

Organizations apply any conditions or protections that may be necessary for specific categories of personally identifiable information. These conditions may be required by laws, executive orders, directives, regulations, policies, standards, or guidelines. The requirements may also come from the results of privacy risk assessments that factor in contextual changes that may result in an organizational determination that a particular category of personally identifiable information is particularly sensitive or raises particular privacy risks. Organizations consult with the senior agency official for privacy and legal counsel regarding any protections that may be necessary.

 -

- are applied for specific categories of personally identifiable information.

+

are applied for specific categories of personally identifiable information.

 @@ -53021,9 +50506,7 @@ - + @@ -53112,15 +50595,13 @@ - +

Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent to and within the scope of an authorized law enforcement activity.

 -

The PRIVACT limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements.

+

The PRIVACT limits agencies’ ability to process information that describes how individuals exercise rights guaranteed by the First Amendment. Organizations consult with the senior agency official for privacy and legal counsel regarding these requirements.

 @@ -53159,9 +50640,7 @@ - + @@ -53191,7 +50670,7 @@ -

The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any.

+

The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records. A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any.

 @@ -53270,27 +50749,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the risk assessment policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the risk assessment procedures are to be disseminated is/are defined;

+ @@ -53305,51 +50780,47 @@ - -

an official to manage the risk assessment policy and procedures is defined;

- + +

an official to manage the risk assessment policy and procedures is defined;

+ - -

the frequency at which the current risk assessment policy is reviewed and updated is defined;

- + +

the frequency at which the current risk assessment policy is reviewed and updated is defined;

+ - -

events that would require the current risk assessment policy to be reviewed and updated are defined;

- + +

events that would require the current risk assessment policy to be reviewed and updated are defined;

+ - -

the frequency at which the current risk assessment procedures are reviewed and updated is defined;

- + +

the frequency at which the current risk assessment procedures are reviewed and updated is defined;

+ - -

events that would require risk assessment procedures to be reviewed and updated are defined;

- + +

events that would require risk assessment procedures to be reviewed and updated are defined;

+ - - + + @@ -53361,11 +50832,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- risk assessment policy that:

+

risk assessment policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -53382,18 +50852,18 @@ -

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the risk assessment policy and procedures; and

Review and update the current risk assessment:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -53410,7 +50880,7 @@ -

the risk assessment policy is disseminated to ;

+

the risk assessment policy is disseminated to ;

 @@ -53418,7 +50888,7 @@ -

the risk assessment procedures are disseminated to ;

+

the risk assessment procedures are disseminated to ;

 @@ -53426,42 +50896,42 @@ -

the risk assessment policy addresses purpose;

+

the risk assessment policy addresses purpose;

 -

the risk assessment policy addresses scope;

+

the risk assessment policy addresses scope;

 -

the risk assessment policy addresses roles;

+

the risk assessment policy addresses roles;

 -

the risk assessment policy addresses responsibilities;

+

the risk assessment policy addresses responsibilities;

 -

the risk assessment policy addresses management commitment;

+

the risk assessment policy addresses management commitment;

 -

the risk assessment policy addresses coordination among organizational entities;

+

the risk assessment policy addresses coordination among organizational entities;

 -

the risk assessment policy addresses compliance;

+

the risk assessment policy addresses compliance;

 -

the risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

+

the risk assessment policy is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the risk assessment policy and procedures;

 @@ -53469,22 +50939,22 @@ -

the current risk assessment policy is reviewed and updated ;

+

the current risk assessment policy is reviewed and updated ;

 -

the current risk assessment policy is reviewed and updated following ;

+

the current risk assessment policy is reviewed and updated following ;

 -

the current risk assessment procedures are reviewed and updated ;

+

the current risk assessment procedures are reviewed and updated ;

 -

the current risk assessment procedures are reviewed and updated following .

+

the current risk assessment procedures are reviewed and updated following .

 @@ -53513,9 +50983,7 @@ - + @@ -53555,9 +51023,9 @@ -

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

-

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

-

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

+

Security categories describe the potential adverse impacts or negative consequences to organizational operations, organizational assets, and individuals if organizational information and systems are compromised through a loss of confidentiality, integrity, or availability. Security categorization is also a type of asset loss characterization in systems security engineering processes that is carried out throughout the system development life cycle. Organizations can use privacy risk assessments or privacy impact assessments to better understand the potential adverse effects on individuals. CNSSI 1253 provides additional guidance on categorization for national security systems.

+

Organizations conduct the security categorization process as an organization-wide activity with the direct involvement of chief information officers, senior agency information security officers, senior agency officials for privacy, system owners, mission and business owners, and information owners or stewards. Organizations consider the potential adverse impacts to other organizations and, in accordance with USA PATRIOT and Homeland Security Presidential Directives, potential national-level adverse impacts.

+

Security categorization processes facilitate the development of inventories of information assets and, along with CM-8 , mappings to specific system components where information is processed, stored, or transmitted. The security categorization process is revisited throughout the system development life cycle to ensure that the security categories remain accurate and relevant.

 @@ -53607,15 +51075,13 @@ - +

Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.

 -

Organizations apply the high-water mark concept to each system categorized in accordance with FIPS 199 , resulting in systems designated as low impact, moderate impact, or high impact. Organizations that desire additional granularity in the system impact designations for risk-based decision-making, can further partition the systems into sub-categories of the initial system categorization. For example, an impact-level prioritization on a moderate-impact system can produce three new sub-categories: low-moderate systems, moderate-moderate systems, and high-moderate systems. Impact-level prioritization and the resulting sub-categories of the system give organizations an opportunity to focus their investments related to security control selection and the tailoring of control baselines in responding to identified risks. Impact-level prioritization can also be used to determine those systems that may be of heightened interest or value to adversaries or represent a critical loss to the federal enterprise, sometimes described as high value assets. For such high value assets, organizations may be more focused on complexity, aggregation, and information exchanges. Systems with high value assets can be prioritized by partitioning high-impact systems into low-high systems, moderate-high systems, and high-high systems. Alternatively, organizations can apply the guidance in CNSSI 1253 for security objective-related categorization.

+

Organizations apply the high-water mark concept to each system categorized in accordance with FIPS 199 , resulting in systems designated as low impact, moderate impact, or high impact. Organizations that desire additional granularity in the system impact designations for risk-based decision-making, can further partition the systems into sub-categories of the initial system categorization. For example, an impact-level prioritization on a moderate-impact system can produce three new sub-categories: low-moderate systems, moderate-moderate systems, and high-moderate systems. Impact-level prioritization and the resulting sub-categories of the system give organizations an opportunity to focus their investments related to security control selection and the tailoring of control baselines in responding to identified risks. Impact-level prioritization can also be used to determine those systems that may be of heightened interest or value to adversaries or represent a critical loss to the federal enterprise, sometimes described as high value assets. For such high value assets, organizations may be more focused on complexity, aggregation, and information exchanges. Systems with high value assets can be prioritized by partitioning high-impact systems into low-high systems, moderate-high systems, and high-high systems. Alternatively, organizations can apply the guidance in CNSSI 1253 for security objective-related categorization.

 @@ -53659,52 +51125,46 @@ - -

a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);

- + +

a document in which risk assessment results are to be documented (if not documented in the security and privacy plans or risk assessment report) is defined (if selected);

+ - -

the frequency to review risk assessment results is defined;

- + +

the frequency to review risk assessment results is defined;

+ - -

personnel or roles to whom risk assessment results are to be disseminated is/are defined;

- + +

personnel or roles to whom risk assessment results are to be disseminated is/are defined;

+ - -

the frequency to update the risk assessment is defined;

- + +

the frequency to update the risk assessment is defined;

+ - - + + @@ -53761,19 +51221,19 @@ -

Document risk assessment results in ;

+

Document risk assessment results in ;

 -

Review risk assessment results ;

+

Review risk assessment results ;

 -

Disseminate risk assessment results to ; and

+

Disseminate risk assessment results to ; and

 -

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+

Update the risk assessment or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

 @@ -53804,19 +51264,19 @@ -

risk assessment results are documented in ;

+

risk assessment results are documented in ;

 -

risk assessment results are reviewed ;

+

risk assessment results are reviewed ;

 -

risk assessment results are disseminated to ;

+

risk assessment results are disseminated to ;

 -

the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

+

the risk assessment is updated or when there are significant changes to the system, its environment of operation, or other conditions that may impact the security or privacy state of the system.

 @@ -53858,27 +51318,23 @@ - -

systems, system components, and system services to assess supply chain risks are defined;

- + +

systems, system components, and system services to assess supply chain risks are defined;

+ - -

the frequency at which to update the supply chain risk assessment is defined;

- + +

the frequency at which to update the supply chain risk assessment is defined;

+ - - + + @@ -53888,11 +51344,11 @@ -

Assess supply chain risks associated with ; and

+

Assess supply chain risks associated with ; and

 -

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+

Update the supply chain risk assessment , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

 @@ -53902,11 +51358,11 @@ -

supply chain risks associated with are assessed;

+

supply chain risks associated with are assessed;

 -

the supply chain risk assessment is updated , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

+

the supply chain risk assessment is updated , when there are significant changes to the relevant supply chain, or when changes to the system, environments of operation, or other conditions may necessitate a change in the supply chain.

 @@ -53951,12 +51407,8 @@ - - + +

Use all-source intelligence to assist in the analysis of risk.

@@ -54007,30 +51459,26 @@ - -

means to determine the current cyber threat environment on an ongoing basis;

- + +

means to determine the current cyber threat environment on an ongoing basis;

+ - - + + -

Determine the current cyber threat environment on an ongoing basis using .

+

Determine the current cyber threat environment on an ongoing basis using .

The threat awareness information that is gathered feeds into the organization’s information security operations to ensure that procedures are updated in response to the changing threat environment. For example, at higher threat levels, organizations may change the privilege or authentication thresholds required to perform certain operations.

 -

the current cyber threat environment is determined on an ongoing basis using .

+

the current cyber threat environment is determined on an ongoing basis using .

 @@ -54068,48 +51516,40 @@ Predictive Cyber Analytics - - + + - -

advanced automation capabilities to predict and identify risks are defined;

- + +

advanced automation capabilities to predict and identify risks are defined;

+ - -

systems or system components where advanced automation and analytics capabilities are to be employed are defined;

- + +

systems or system components where advanced automation and analytics capabilities are to be employed are defined;

+ - -

advanced analytics capabilities to predict and identify risks are defined;

- + +

advanced analytics capabilities to predict and identify risks are defined;

+ - - + + -

Employ the following advanced automation and analytics capabilities to predict and identify risks to : .

+

Employ the following advanced automation and analytics capabilities to predict and identify risks to : .

A properly resourced Security Operations Center (SOC) or Computer Incident Response Team (CIRT) may be overwhelmed by the volume of information generated by the proliferation of security tools and appliances unless it employs advanced automation and analytics to analyze the data. Advanced automation and analytics capabilities are typically supported by artificial intelligence concepts, including machine learning. Examples include Automated Threat Discovery and Response (which includes broad-based collection, context-based analysis, and adaptive response capabilities), automated workflow operations, and machine assisted decision tools. Note, however, that sophisticated adversaries may be able to extract information related to analytic parameters and retrain the machine learning to classify malicious activity as benign. Accordingly, machine learning is augmented by human monitoring to ensure that sophisticated adversaries are not able to conceal their activities.

@@ -54118,13 +51558,11 @@ -

- are employed to predict and identify risks to ;

+

are employed to predict and identify risks to ;

 -

- are employed to predict and identify risks to .

+

are employed to predict and identify risks to .

 @@ -54172,53 +51610,45 @@ Vulnerability Monitoring and Scanning - - + + - -

frequency for monitoring systems and hosted applications for vulnerabilities is defined;

- + +

frequency for monitoring systems and hosted applications for vulnerabilities is defined;

+ - -

frequency for scanning systems and hosted applications for vulnerabilities is defined;

- + +

frequency for scanning systems and hosted applications for vulnerabilities is defined;

+ - -

response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;

- + +

response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;

+ - -

personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;

- + +

personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;

+ - - + + @@ -54248,7 +51678,7 @@ -

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

+

Monitor and scan for vulnerabilities in the system and hosted applications and when new vulnerabilities potentially affecting the system are identified and reported;

 @@ -54272,11 +51702,11 @@ -

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

+

Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;

 -

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

+

Share information obtained from the vulnerability monitoring process and control assessments with to help eliminate similar vulnerabilities in other systems; and

 @@ -54287,7 +51717,7 @@

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

-

Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

+

Organizations may also employ the use of financial incentives (also known as bug bounties ) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

 @@ -54295,11 +51725,11 @@ -

systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+

systems and hosted applications are monitored for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

 -

systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

+

systems and hosted applications are scanned for vulnerabilities and when new vulnerabilities potentially affecting the system are identified and reported;

 @@ -54324,11 +51754,11 @@ -

legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk;

+

legitimate vulnerabilities are remediated in accordance with an organizational assessment of risk;

 -

information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems;

+

information obtained from the vulnerability monitoring process and control assessments is shared with to help eliminate similar vulnerabilities in other systems;

 @@ -54383,9 +51813,7 @@ @@ -54394,30 +51822,26 @@ - -

the frequency for updating the system vulnerabilities to be scanned is defined (if selected);

- + +

the frequency for updating the system vulnerabilities to be scanned is defined (if selected);

+ - - + + -

Update the system vulnerabilities to be scanned .

+

Update the system vulnerabilities to be scanned .

Due to the complexity of modern software, systems, and other factors, new vulnerabilities are discovered on a regular basis. It is important that newly discovered vulnerabilities are added to the list of vulnerabilities to be scanned to ensure that the organization can take steps to mitigate those vulnerabilities in a timely manner.

 -

the system vulnerabilities to be scanned are updated .

+

the system vulnerabilities to be scanned are updated .

 @@ -54456,18 +51880,14 @@ - - + +

Define the breadth and depth of vulnerability scanning coverage.

 -

The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. SP 800-53A provides additional information on the breadth and depth of coverage.

+

The breadth of vulnerability scanning coverage can be expressed as a percentage of components within the system, by the particular types of systems, by the criticality of systems, or by the number of vulnerabilities to be checked. Conversely, the depth of vulnerability scanning coverage can be expressed as the level of the system design that the organization intends to monitor (e.g., component, module, subsystem, element). Organizations can determine the sufficiency of vulnerability scanning coverage with regard to its risk tolerance and other factors. Scanning tools and how the tools are configured may affect the depth and coverage. Multiple scanning tools may be needed to achieve the desired depth and coverage. SP 800-53A provides additional information on the breadth and depth of coverage.

 @@ -54510,24 +51930,20 @@ - -

corrective actions to be taken if information about the system is discoverable are defined;

- + +

corrective actions to be taken if information about the system is discoverable are defined;

+ - - + + -

Determine information about the system that is discoverable and take .

+

Determine information about the system that is discoverable and take .

Discoverable information includes information that adversaries could obtain without compromising or breaching the system, such as by collecting information that the system is exposing or by conducting extensive web searches. Corrective actions include notifying appropriate organizational personnel, removing designated information, or changing the system to make the designated information less relevant or attractive to adversaries. This enhancement excludes intentionally discoverable information that may be part of a decoy capability (e.g., honeypots, honeynets, or deception nets) deployed by the organization.

@@ -54540,8 +51956,7 @@ -

- are taken when information about the system is confirmed as discoverable.

+

are taken when information about the system is confirmed as discoverable.

 @@ -54590,37 +52005,33 @@ - -

system components to which privileged access is authorized for selected vulnerability scanning activities are defined;

- + +

system components to which privileged access is authorized for selected vulnerability scanning activities are defined;

+ - -

vulnerability scanning activities selected for privileged access authorization to system components are defined;

- + +

vulnerability scanning activities selected for privileged access authorization to system components are defined;

+ - - + + -

Implement privileged access authorization to for .

+

Implement privileged access authorization to for .

In certain situations, the nature of the vulnerability scanning may be more intrusive, or the system component that is the subject of the scanning may contain classified or controlled unclassified information, such as personally identifiable information. Privileged access authorization to selected system components facilitates more thorough vulnerability scanning and protects the sensitive nature of such scanning.

 -

privileged access authorization is implemented to for .

+

privileged access authorization is implemented to for .

 @@ -54667,29 +52078,25 @@ - -

automated mechanisms to compare the results of multiple vulnerability scans are defined;

- + +

automated mechanisms to compare the results of multiple vulnerability scans are defined;

+ - - + + -

Compare the results of multiple vulnerability scans using .

+

Compare the results of multiple vulnerability scans using .

Using automated mechanisms to analyze multiple vulnerability scans over time can help determine trends in system vulnerabilities and identify patterns of attack.

 -

the results of multiple vulnerability scans are compared using .

+

the results of multiple vulnerability scans are compared using .

 @@ -54737,39 +52144,35 @@ - -

a system whose historic audit logs are to be reviewed is defined;

- + +

a system whose historic audit logs are to be reviewed is defined;

+ - -

a time period for a potential previous exploit of a system is defined;

- + +

a time period for a potential previous exploit of a system is defined;

+ - - + + -

Review historic audit logs to determine if a vulnerability identified in a has been previously exploited within an .

+

Review historic audit logs to determine if a vulnerability identified in a has been previously exploited within an .

Reviewing historic audit logs to determine if a recently detected vulnerability in a system has been previously exploited by an adversary can provide important information for forensic analyses. Such analyses can help identify, for example, the extent of a previous intrusion, the trade craft employed during the attack, organizational information exfiltrated or modified, mission or business capabilities affected, and the duration of the attack.

 -

historic audit logs are reviewed to determine if a vulnerability identified in a has been previously exploited within .

+

historic audit logs are reviewed to determine if a vulnerability identified in a has been previously exploited within .

 @@ -54820,12 +52223,8 @@ - - + +

Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.

@@ -54877,12 +52276,8 @@ - - + +

Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.

@@ -54936,57 +52331,48 @@ - -

locations to employ technical surveillance countermeasure surveys are defined;

- + +

locations to employ technical surveillance countermeasure surveys are defined;

+ - -

the frequency at which to employ technical surveillance countermeasure surveys is defined (if selected);

- + +

the frequency at which to employ technical surveillance countermeasure surveys is defined (if selected);

+ - -

events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined (if selected);

- + +

events or indicators which, if they occur, trigger a technical surveillance countermeasures survey are defined (if selected);

+ - - + + -

Employ a technical surveillance countermeasures survey at - .

+

Employ a technical surveillance countermeasures survey at .

A technical surveillance countermeasures survey is a service provided by qualified personnel to detect the presence of technical surveillance devices and hazards and to identify technical security weaknesses that could be used in the conduct of a technical penetration of the surveyed facility. Technical surveillance countermeasures surveys also provide evaluations of the technical security posture of organizations and facilities and include visual, electronic, and physical examinations of surveyed facilities, internally and externally. The surveys also provide useful input for risk assessments and information regarding organizational exposure to potential adversaries.

 -

a technical surveillance countermeasures survey is employed at - .

+

a technical surveillance countermeasures survey is employed at .

 @@ -55022,12 +52408,8 @@ - - + + @@ -55101,12 +52483,8 @@ - - + + @@ -55142,7 +52520,7 @@

A privacy impact assessment is an analysis of how personally identifiable information is handled to ensure that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity, and evaluate ways to mitigate privacy risks. A privacy impact assessment is both an analysis and a formal document that details the process and the outcome of the analysis.

Organizations conduct and develop a privacy impact assessment with sufficient clarity and specificity to demonstrate that the organization fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the organization’s activity and throughout the information life cycle. In order to conduct a meaningful privacy impact assessment, the organization’s senior agency official for privacy works closely with program managers, system owners, information technology experts, security officials, counsel, and other relevant organization personnel. Moreover, a privacy impact assessment is not a time-restricted activity that is limited to a particular milestone or stage of the information system or personally identifiable information life cycles. Rather, the privacy analysis continues throughout the system and personally identifiable information life cycles. Accordingly, a privacy impact assessment is a living document that organizations update whenever changes to the information technology, changes to the organization’s practices, or other factors alter the privacy risks associated with the use of such information technology.

-

To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by EGOV ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

+

To conduct the privacy impact assessment, organizations can use security and privacy risk assessments. Organizations may also use other related processes that may have different names, including privacy threshold analyses. A privacy impact assessment can also serve as notice to the public regarding the organization’s practices with respect to privacy. Although conducting and publishing privacy impact assessments may be required by law, organizations may develop such policies in the absence of applicable laws. For federal agencies, privacy impact assessments may be required by EGOV ; agencies should consult with their senior agency official for privacy and legal counsel on this requirement and be aware of the statutory exceptions and OMB guidance relating to the provision.

 @@ -55201,24 +52579,22 @@ - -

systems, system components, or system services to be analyzed for criticality are defined;

- + +

systems, system components, or system services to be analyzed for criticality are defined;

+ - -

decision points in the system development life cycle when a criticality analysis is to be performed are defined;

- + +

decision points in the system development life cycle when a criticality analysis is to be performed are defined;

+ - + @@ -55232,16 +52608,16 @@ -

Identify critical system components and functions by performing a criticality analysis for at .

+

Identify critical system components and functions by performing a criticality analysis for at .

 -

Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.

+

Not all system components, functions, or services necessarily require significant protections. For example, criticality analysis is a key tenet of supply chain risk management and informs the prioritization of protection activities. The identification of critical system components and functions considers applicable laws, executive orders, regulations, directives, policies, standards, system functionality requirements, system and component interfaces, and system and component dependencies. Systems engineers conduct a functional decomposition of a system to identify mission-critical functions and components. The functional decomposition includes the identification of organizational missions supported by the system, decomposition into the specific functions to perform those missions, and traceability to the hardware, software, and firmware components that implement those functions, including when the functions are shared by many components within and external to the system.

The operational environment of a system or a system component may impact the criticality, including the connections to and dependencies on cyber-physical systems, devices, system-of-systems, and outsourced IT services. System components that allow unmediated access to critical system components or functions are considered critical due to the inherent vulnerabilities that such components create. Component and function criticality are assessed in terms of the impact of a component or function failure on the organizational missions that are supported by the system that contains the components and functions.

-

Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

+

Criticality analysis is performed when an architecture or design is being developed, modified, or upgraded. If such analysis is performed early in the system development life cycle, organizations may be able to modify the system design to reduce the critical nature of these components and functions, such as by adding redundancy or alternate paths into the system design. Criticality analysis can also influence the protection measures required by development contractors. In addition to criticality analysis for systems, system components, and system services, criticality analysis of information is an important consideration. Such analysis is conducted as part of security categorization in RA-2.

 -

critical system components and functions are identified by performing a criticality analysis for at .

+

critical system components and functions are identified by performing a criticality analysis for at .

 @@ -55281,22 +52657,16 @@ - -

the frequency at which to employ the threat hunting capability is defined;

- + +

the frequency at which to employ the threat hunting capability is defined;

+ - - - + + + @@ -55320,7 +52690,7 @@ -

Employ the threat hunting capability .

+

Employ the threat hunting capability .

 @@ -55341,7 +52711,7 @@ -

the threat hunting capability is employed .

+

the threat hunting capability is employed .

 @@ -55380,27 +52750,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the system and services acquisition policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the system and services acquisition procedures are to be disseminated is/are defined;

+ @@ -55415,51 +52781,47 @@ - -

an official to manage the system and services acquisition policy and procedures is defined;

- + +

an official to manage the system and services acquisition policy and procedures is defined;

+ - -

the frequency at which the current system and services acquisition policy is reviewed and updated is defined;

- + +

the frequency at which the current system and services acquisition policy is reviewed and updated is defined;

+ - -

events that would require the current system and services acquisition policy to be reviewed and updated are defined;

- + +

events that would require the current system and services acquisition policy to be reviewed and updated are defined;

+ - -

the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;

- + +

the frequency at which the current system and services acquisition procedures are reviewed and updated is defined;

+ - -

events that would require the system and services acquisition procedures to be reviewed and updated are defined;

- + +

events that would require the system and services acquisition procedures to be reviewed and updated are defined;

+ - - + + @@ -55473,11 +52835,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- system and services acquisition policy that:

+

system and services acquisition policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -55494,18 +52855,18 @@ -

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures; and

Review and update the current system and services acquisition:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -55522,7 +52883,7 @@ -

the system and services acquisition policy is disseminated to ;

+

the system and services acquisition policy is disseminated to ;

 @@ -55530,7 +52891,7 @@ -

the system and services acquisition procedures are disseminated to ;

+

the system and services acquisition procedures are disseminated to ;

 @@ -55538,42 +52899,42 @@ -

the system and services acquisition policy addresses purpose;

+

the system and services acquisition policy addresses purpose;

 -

the system and services acquisition policy addresses scope;

+

the system and services acquisition policy addresses scope;

 -

the system and services acquisition policy addresses roles;

+

the system and services acquisition policy addresses roles;

 -

the system and services acquisition policy addresses responsibilities;

+

the system and services acquisition policy addresses responsibilities;

 -

the system and services acquisition policy addresses management commitment;

+

the system and services acquisition policy addresses management commitment;

 -

the system and services acquisition policy addresses coordination among organizational entities;

+

the system and services acquisition policy addresses coordination among organizational entities;

 -

the system and services acquisition policy addresses compliance;

+

the system and services acquisition policy addresses compliance;

 -

the system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the system and services acquisition policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the system and services acquisition policy and procedures;

 @@ -55581,22 +52942,22 @@ -

the system and services acquisition policy is reviewed and updated ;

+

the system and services acquisition policy is reviewed and updated ;

 -

the current system and services acquisition policy is reviewed and updated following ;

+

the current system and services acquisition policy is reviewed and updated following ;

 -

the current system and services acquisition procedures are reviewed and updated ;

+

the current system and services acquisition procedures are reviewed and updated ;

 -

the current system and services acquisition procedures are reviewed and updated following .

+

the current system and services acquisition procedures are reviewed and updated following .

 @@ -55630,12 +52991,8 @@ - - + + @@ -55737,24 +53094,18 @@ System Development Life Cycle - + - -

system development life cycle is defined;

- + +

system development life cycle is defined;

+ - - + + @@ -55778,7 +53129,7 @@ -

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

+

Acquire, develop, and manage the system using that incorporates information security and privacy considerations;

 @@ -55794,7 +53145,7 @@ -

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

+

A system development life cycle process provides the foundation for the successful development, implementation, and operation of organizational systems. The integration of security and privacy considerations early in the system development life cycle is a foundational principle of systems security engineering and privacy engineering. To apply the required controls within the system development life cycle requires a basic understanding of information security and privacy, threats, vulnerabilities, adverse impacts, and risk to critical mission and business functions. The security engineering principles in SA-8 help individuals properly design, code, and test systems and system components. Organizations include qualified personnel (e.g., senior agency information security officers, senior agency officials for privacy, security and privacy architects, and security and privacy engineers) in system development life cycle processes to ensure that established security and privacy requirements are incorporated into organizational systems. Role-based security and privacy training programs can ensure that individuals with key security and privacy roles and responsibilities have the experience, skills, and expertise to conduct assigned system development life cycle activities.

The effective integration of security and privacy requirements into enterprise architecture also helps to ensure that important security and privacy considerations are addressed throughout the system life cycle and that those considerations are directly related to organizational mission and business processes. This process also facilitates the integration of the information security and privacy architectures into the enterprise architecture, consistent with the risk management strategy of the organization. Because the system development life cycle involves multiple organizations, (e.g., external suppliers, developers, integrators, service providers), acquisition and supply chain risk management functions and controls play significant roles in the effective management of the system during the life cycle.

 @@ -55803,11 +53154,11 @@ -

the system is acquired, developed, and managed using that incorporates information security considerations;

+

the system is acquired, developed, and managed using that incorporates information security considerations;

 -

the system is acquired, developed, and managed using that incorporates privacy considerations;

+

the system is acquired, developed, and managed using that incorporates privacy considerations;

 @@ -55887,12 +53238,8 @@ - - + + @@ -55948,12 +53295,8 @@ - - + + @@ -56034,12 +53377,8 @@ - - + + @@ -56103,28 +53442,22 @@ - -

contract language is defined (if selected);

- + +

contract language is defined (if selected);

+ - - + + @@ -56161,7 +53494,7 @@ -

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

+

Include the following requirements, descriptions, and criteria, explicitly or by reference, using in the acquisition contract for the system, system component, or system service:

Security and privacy functional requirements;

@@ -56200,7 +53533,7 @@ -

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

+

Security and privacy functional requirements are typically derived from the high-level security and privacy requirements described in SA-2 . The derived requirements include security and privacy capabilities, functions, and mechanisms. Strength requirements associated with such capabilities, functions, and mechanisms include degree of correctness, completeness, resistance to tampering or bypass, and resistance to direct attack. Assurance requirements include development processes, procedures, and methodologies as well as the evidence from development and assessment activities that provide grounds for confidence that the required functionality is implemented and possesses the required strength of mechanism. SP 800-160-1 describes the process of requirements engineering as part of the system development life cycle.

Controls can be viewed as descriptions of the safeguards and protection capabilities appropriate for achieving the particular security and privacy objectives of the organization and for reflecting the security and privacy requirements of stakeholders. Controls are selected and implemented in order to satisfy system requirements and include developer and organizational responsibilities. Controls can include technical, administrative, and physical aspects. In some cases, the selection and implementation of a control may necessitate additional specification by the organization in the form of derived requirements or instantiated control parameter values. The derived requirements and control parameter values may be necessary to provide the appropriate level of implementation detail for controls within the system development life cycle.

Security and privacy documentation requirements address all stages of the system development life cycle. Documentation provides user and administrator guidance for the implementation and operation of controls. The level of detail required in such documentation is based on the security categorization or classification level of the system and the degree to which organizations depend on the capabilities, functions, or mechanisms to meet risk response expectations. Requirements can include mandated configuration settings that specify allowed functions, ports, protocols, and services. Acceptance criteria for systems, system components, and system services are defined in the same manner as the criteria for any organizational acquisition or procurement.

 @@ -56210,83 +53543,83 @@ -

security functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

security functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

privacy functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

privacy functional requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

strength of mechanism requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

security assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

security assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

privacy assurance requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

controls needed to satisfy the security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

controls needed to satisfy the privacy requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

security documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

security documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

privacy documentation requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

requirements for protecting security documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

requirements for protecting privacy documentation, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

the description of the system development environment and environment in which the system is intended to operate, requirements, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

+

the allocation of responsibility or identification of parties responsible for information security requirements, descriptions, and criteria are included explicitly or by reference using in the acquisition contract for the system, system component, or system service;

 -

the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using ;

+

the allocation of responsibility or identification of parties responsible for privacy requirements, descriptions, and criteria are included explicitly or by reference using ;

 -

the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using ;

+

the allocation of responsibility or identification of parties responsible for supply chain risk management requirements, descriptions, and criteria are included explicitly or by reference using ;

 -

acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component, or system service.

+

acceptance criteria requirements and descriptions are included explicitly or by reference using in the acquisition contract for the system, system component, or system service.

 @@ -56329,12 +53662,8 @@ - - + +

Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.

@@ -56390,46 +53719,40 @@ high-level design low-level design source code or hardware schematics - - - + - -

design and implementation information is defined (if selected);

- + +

design and implementation information is defined (if selected);

+ - -

level of detail is defined;

- + +

level of detail is defined;

+ - - + + -

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

+

Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: at .

Organizations may require different levels of detail in the documentation for the design and implementation of controls in organizational systems, system components, or system services based on mission and business requirements, requirements for resiliency and trustworthiness, and requirements for analysis and testing. Systems can be partitioned into multiple subsystems. Each subsystem within the system can contain one or more modules. The high-level design for the system is expressed in terms of subsystems and the interfaces between subsystems providing security-relevant functionality. The low-level design for the system is expressed in terms of modules and the interfaces between modules providing security-relevant functionality. Design and implementation documentation can include manufacturer, version, serial number, verification hash signature, software libraries used, date of purchase or download, and the vendor or download source. Source code and hardware schematics are referred to as the implementation representation of the system.

 -

the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using at .

+

the developer of the system, system component, or system service is required to provide design and implementation information for the controls that includes using at .

 @@ -56472,104 +53795,83 @@ - -

systems engineering methods are defined;

- + +

systems engineering methods are defined;

+ - + - -

system security engineering methods are defined (if selected);

- + +

system security engineering methods are defined (if selected);

+ - -

privacy engineering methods are defined (if selected);

- + +

privacy engineering methods are defined (if selected);

+ - + - -

software development methods are defined (if selected);

- + +

software development methods are defined (if selected);

+ - -

testing, evaluation, assessment, verification, and validation methods are defined (if selected);

- + +

testing, evaluation, assessment, verification, and validation methods are defined (if selected);

+ - -

quality control processes are defined (if selected);

- + +

quality control processes are defined (if selected);

+ - - + +

Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes:

-

- ;

+

;

 -

- ; and

+

; and

 -

- .

+

.

 @@ -56579,15 +53881,15 @@ -

the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes ;

+

the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes ;

 -

the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes ;

+

the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes ;

 -

the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes .

+

the developer of the system, system component, or system service is required to demonstrate the use of a system development life cycle process that includes .

 @@ -56641,25 +53943,21 @@ - -

security configurations for the system, component, or service are defined;

- + +

security configurations for the system, component, or service are defined;

+ - - + +

Require the developer of the system, system component, or system service to:

-

Deliver the system, component, or service with implemented; and

+

Deliver the system, component, or service with implemented; and

 @@ -56673,7 +53971,7 @@ -

the developer of the system, system component, or system service is required to deliver the system, component, or service with implemented;

+

the developer of the system, system component, or system service is required to deliver the system, component, or service with implemented;

 @@ -56718,12 +54016,8 @@ - - + + @@ -56739,7 +54033,7 @@ -

Commercial off-the-shelf IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. See NSA CSFC.

+

Commercial off-the-shelf IA or IA-enabled information technology products used to protect classified information by cryptographic means may be required to use NSA-approved key management. See NSA CSFC.

 @@ -56793,12 +54087,8 @@ - - + + @@ -56814,7 +54104,7 @@ -

See NIAP CCEVS for additional information on NIAP. See NIST CMVP for additional information on FIPS-validated cryptographic modules.

+

See NIAP CCEVS for additional information on NIAP. See NIST CMVP for additional information on FIPS-validated cryptographic modules.

 @@ -56867,12 +54157,8 @@ - - + + @@ -56926,12 +54212,8 @@ - - + + @@ -56939,7 +54221,7 @@

Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.

 -

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.

+

The identification of functions, ports, protocols, and services early in the system development life cycle (e.g., during the initial requirements definition and design stages) allows organizations to influence the design of the system, system component, or system service. This early involvement in the system development life cycle helps organizations avoid or minimize the use of functions, ports, protocols, or services that pose unnecessarily high risks and understand the trade-offs involved in blocking specific ports, protocols, or services or requiring system service providers to do so. Early identification of functions, ports, protocols, and services avoids costly retrofitting of controls after the system, component, or system service has been implemented. SA-9 describes the requirements for external system services. Organizations identify which functions, ports, protocols, and services are provided from external sources.

 @@ -56995,12 +54277,8 @@ - - + + @@ -57055,31 +54333,26 @@ - -

Privacy Act requirements for the operation of a system of records are defined;

- + +

Privacy Act requirements for the operation of a system of records are defined;

+ - - + + -

Include in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

+

Include in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

 -

When, by contract, an organization provides for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the PRIVACT to be applied to the system of records.

+

When, by contract, an organization provides for the operation of a system of records to accomplish an organizational mission or function, the organization, consistent with its authority, causes the requirements of the PRIVACT to be applied to the system of records.

 -

- are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

+

are defined in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.

 @@ -57124,19 +54397,15 @@ - -

time frame to remove data from a contractor system and return it to the organization is defined;

- + +

time frame to remove data from a contractor system and return it to the organization is defined;

+ - - + + @@ -57145,7 +54414,7 @@ -

Require all data to be removed from the contractor’s system and returned to the organization within .

+

Require all data to be removed from the contractor’s system and returned to the organization within .

 @@ -57159,7 +54428,7 @@ -

all data to be removed from the contractor’s system and returned to the organization is required within .

+

all data to be removed from the contractor’s system and returned to the organization is required within .

 @@ -57210,27 +54479,23 @@ - -

actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;

- + +

actions to take when system, system component, or system service documentation is either unavailable or nonexistent are defined;

+ - -

personnel or roles to distribute system documentation to is/are defined;

- + +

personnel or roles to distribute system documentation to is/are defined;

+ - - + + @@ -57286,11 +54551,11 @@ -

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response; and

+

Document attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent and take in response; and

 -

Distribute documentation to .

+

Distribute documentation to .

 @@ -57398,12 +54663,12 @@ -

after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, are taken in response;

+

after attempts to obtain system, system component, or system service documentation when such documentation is either unavailable or nonexistent, are taken in response;

 -

documentation is distributed to .

+

documentation is distributed to .

 @@ -57505,37 +54770,29 @@ Security and Privacy Engineering Principles - - + + - -

systems security engineering principles are defined;

- + +

systems security engineering principles are defined;

+ - -

privacy engineering principles are defined;

- + +

privacy engineering principles are defined;

+ - - + + @@ -57565,10 +54822,10 @@ -

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

+

Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: .

 -

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

+

Systems security and privacy engineering principles are closely related to and implemented throughout the system development life cycle (see SA-3 ). Organizations can apply systems security and privacy engineering principles to new systems under development or to systems undergoing upgrades. For existing systems, organizations apply systems security and privacy engineering principles to system upgrades and modifications to the extent feasible, given the current state of hardware, software, and firmware components within those systems.

The application of systems security and privacy engineering principles helps organizations develop trustworthy, secure, and resilient systems and reduces the susceptibility to disruptions, hazards, threats, and the creation of privacy problems for individuals. Examples of system security engineering principles include: developing layered protections; establishing security and privacy policies, architecture, and controls as the foundation for design and development; incorporating security and privacy requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; tailoring controls to meet organizational needs; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.

Organizations that apply systems security and privacy engineering concepts and principles can facilitate the development of trustworthy, secure systems, system components, and system services; reduce risk to acceptable levels; and make informed risk management decisions. System security engineering principles can also be used to protect against certain supply chain risks, including incorporating tamper-resistant hardware into a design.

 @@ -57576,53 +54833,43 @@ -

- are applied in the specification of the system and system components;

+

are applied in the specification of the system and system components;

 -

- are applied in the design of the system and system components;

+

are applied in the design of the system and system components;

 -

- are applied in the development of the system and system components;

+

are applied in the development of the system and system components;

 -

- are applied in the implementation of the system and system components;

+

are applied in the implementation of the system and system components;

 -

- are applied in the modification of the system and system components;

+

are applied in the modification of the system and system components;

 -

- are applied in the specification of the system and system components;

+

are applied in the specification of the system and system components;

 -

- are applied in the design of the system and system components;

+

are applied in the design of the system and system components;

 -

- are applied in the development of the system and system components;

+

are applied in the development of the system and system components;

 -

- are applied in the implementation of the system and system components;

+

are applied in the implementation of the system and system components;

 -

- are applied in the modification of the system and system components.

+

are applied in the modification of the system and system components.

 @@ -57665,15 +54912,9 @@ - - - + + +

Implement the security design principle of clear abstractions.

@@ -57723,33 +54964,26 @@ - -

systems or system components that implement the security design principle of least common mechanism are defined;

- + +

systems or system components that implement the security design principle of least common mechanism are defined;

+ - - - + + + -

Implement the security design principle of least common mechanism in .

+

Implement the security design principle of least common mechanism in .

 -

The principle of least common mechanism states that the amount of mechanism common to more than one user and depended on by all users is minimized POPEK74 . Mechanism minimization implies that different components of a system refrain from using the same mechanism to access a system resource. Every shared mechanism (especially a mechanism involving shared variables) represents a potential information path between users and is designed with care to ensure that it does not unintentionally compromise security SALTZER75 . Implementing the principle of least common mechanism helps to reduce the adverse consequences of sharing the system state among different programs. A single program that corrupts a shared state (including shared variables) has the potential to corrupt other programs that are dependent on the state. The principle of least common mechanism also supports the principle of simplicity of design and addresses the issue of covert storage channels LAMPSON73.

+

The principle of least common mechanism states that the amount of mechanism common to more than one user and depended on by all users is minimized POPEK74 . Mechanism minimization implies that different components of a system refrain from using the same mechanism to access a system resource. Every shared mechanism (especially a mechanism involving shared variables) represents a potential information path between users and is designed with care to ensure that it does not unintentionally compromise security SALTZER75 . Implementing the principle of least common mechanism helps to reduce the adverse consequences of sharing the system state among different programs. A single program that corrupts a shared state (including shared variables) has the potential to corrupt other programs that are dependent on the state. The principle of least common mechanism also supports the principle of simplicity of design and addresses the issue of covert storage channels LAMPSON73.

 -

- implement the security design principle of least common mechanism.

+

implement the security design principle of least common mechanism.

 @@ -57786,45 +55020,35 @@ Modularity and Layering - - + + - -

systems or system components that implement the security design principle of modularity are defined;

- + +

systems or system components that implement the security design principle of modularity are defined;

+ - -

systems or system components that implement the security design principle of layering are defined;

- + +

systems or system components that implement the security design principle of layering are defined;

+ - - - + + + -

Implement the security design principles of modularity and layering in .

+

Implement the security design principles of modularity and layering in .

The principles of modularity and layering are fundamental across system engineering disciplines. Modularity and layering derived from functional decomposition are effective in managing system complexity by making it possible to comprehend the structure of the system. Modular decomposition, or refinement in system design, is challenging and resists general statements of principle. Modularity serves to isolate functions and related data structures into well-defined logical units. Layering allows the relationships of these units to be better understood so that dependencies are clear and undesired complexity can be avoided. The security design principle of modularity extends functional modularity to include considerations based on trust, trustworthiness, privilege, and security policy. Security-informed modular decomposition includes the allocation of policies to systems in a network, separation of system applications into processes with distinct address spaces, allocation of system policies to layers, and separation of processes into subjects with distinct privileges based on hardware-supported privilege domains.

@@ -57833,13 +55057,11 @@ -

- implement the security design principle of modularity;

+

implement the security design principle of modularity;

 -

- implement the security design principle of layering.

+

implement the security design principle of layering.

 @@ -57881,33 +55103,26 @@ - -

systems or system components that implement the security design principle of partially ordered dependencies are defined;

- + +

systems or system components that implement the security design principle of partially ordered dependencies are defined;

+ - - - + + + -

Implement the security design principle of partially ordered dependencies in .

+

Implement the security design principle of partially ordered dependencies in .

The principle of partially ordered dependencies states that the synchronization, calling, and other dependencies in the system are partially ordered. A fundamental concept in system design is layering, whereby the system is organized into well-defined, functionally related modules or components. The layers are linearly ordered with respect to inter-layer dependencies, such that higher layers are dependent on lower layers. While providing functionality to higher layers, some layers can be self-contained and not dependent on lower layers. While a partial ordering of all functions in a given system may not be possible, if circular dependencies are constrained to occur within layers, the inherent problems of circularity can be more easily managed. Partially ordered dependencies and system layering contribute significantly to the simplicity and coherency of the system design. Partially ordered dependencies also facilitate system testing and analysis.

 -

- implement the security design principle of partially ordered dependencies.

+

implement the security design principle of partially ordered dependencies.

 @@ -57947,34 +55162,27 @@ - -

systems or system components that implement the security design principle of efficiently mediated access are defined;

- + +

systems or system components that implement the security design principle of efficiently mediated access are defined;

+ - - - + + + -

Implement the security design principle of efficiently mediated access in .

+

Implement the security design principle of efficiently mediated access in .

The principle of efficiently mediated access states that policy enforcement mechanisms utilize the least common mechanism available while satisfying stakeholder requirements within expressed constraints. The mediation of access to system resources (i.e., CPU, memory, devices, communication ports, services, infrastructure, data, and information) is often the predominant security function of secure systems. It also enables the realization of protections for the capability provided to stakeholders by the system. Mediation of resource access can result in performance bottlenecks if the system is not designed correctly. For example, by using hardware mechanisms, efficiently mediated access can be achieved. Once access to a low-level resource such as memory has been obtained, hardware protection mechanisms can ensure that out-of-bounds access does not occur.

 -

- implement the security design principle of efficiently mediated access.

+

implement the security design principle of efficiently mediated access.

 @@ -58015,34 +55223,27 @@ - -

systems or system components that implement the security design principle of minimized sharing are defined;

- + +

systems or system components that implement the security design principle of minimized sharing are defined;

+ - - - + + + -

Implement the security design principle of minimized sharing in .

+

Implement the security design principle of minimized sharing in .

The principle of minimized sharing states that no computer resource is shared between system components (e.g., subjects, processes, functions) unless it is absolutely necessary to do so. Minimized sharing helps to simplify system design and implementation. In order to protect user-domain resources from arbitrary active entities, no resource is shared unless that sharing has been explicitly requested and granted. The need for resource sharing can be motivated by the design principle of least common mechanism in the case of internal entities or driven by stakeholder requirements. However, internal sharing is carefully designed to avoid performance and covert storage and timing channel problems. Sharing via common mechanism can increase the susceptibility of data and information to unauthorized access, disclosure, use, or modification and can adversely affect the inherent capability provided by the system. To minimize sharing induced by common mechanisms, such mechanisms can be designed to be reentrant or virtualized to preserve separation. Moreover, the use of global data to share information is carefully scrutinized. The lack of encapsulation may obfuscate relationships among the sharing entities.

 -

- implement the security design principle of minimized sharing.

+

implement the security design principle of minimized sharing.

 @@ -58082,33 +55283,26 @@ - -

systems or system components that implement the security design principle of reduced complexity are defined;

- + +

systems or system components that implement the security design principle of reduced complexity are defined;

+ - - - + + + -

Implement the security design principle of reduced complexity in .

+

Implement the security design principle of reduced complexity in .

The principle of reduced complexity states that the system design is as simple and small as possible. A small and simple design is more understandable, more analyzable, and less prone to error. The reduced complexity principle applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions. It also facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain; that is, simpler systems contain fewer vulnerabilities. An benefit of reduced complexity is that it is easier to understand whether the intended security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and the existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex. Transitioning from older technologies to newer technologies (e.g., transitioning from IPv4 to IPv6) may require implementing the older and newer technologies simultaneously during the transition period. This may result in a temporary increase in system complexity during the transition.

 -

- implement the security design principle of reduced complexity.

+

implement the security design principle of reduced complexity.

 @@ -58148,34 +55342,27 @@ - -

systems or system components that implement the security design principle of secure evolvability are defined;

- + +

systems or system components that implement the security design principle of secure evolvability are defined;

+ - - - + + + -

Implement the security design principle of secure evolvability in .

+

Implement the security design principle of secure evolvability in .

The principle of secure evolvability states that a system is developed to facilitate the maintenance of its security properties when there are changes to the system’s structure, interfaces, interconnections (i.e., system architecture), functionality, or configuration (i.e., security policy enforcement). Changes include a new, enhanced, or upgraded system capability; maintenance and sustainment activities; and reconfiguration. Although it is not possible to plan for every aspect of system evolution, system upgrades and changes can be anticipated by analyses of mission or business strategic direction, anticipated changes in the threat environment, and anticipated maintenance and sustainment needs. It is unrealistic to expect that complex systems remain secure in contexts not envisioned during development, whether such contexts are related to the operational environment or to usage. A system may be secure in some new contexts, but there is no guarantee that its emergent behavior will always be secure. It is easier to build trustworthiness into a system from the outset, and it follows that the sustainment of system trustworthiness requires planning for change as opposed to adapting in an ad hoc or non-methodical manner. The benefits of this principle include reduced vendor life cycle costs, reduced cost of ownership, improved system security, more effective management of security risk, and less risk uncertainty.

 -

- implement the security design principle of secure evolvability.

+

implement the security design principle of secure evolvability.

 @@ -58215,25 +55402,19 @@ - -

systems or system components that implement the security design principle of trusted components are defined;

- + +

systems or system components that implement the security design principle of trusted components are defined;

+ - - - + + + -

Implement the security design principle of trusted components in .

+

Implement the security design principle of trusted components in .

The principle of trusted components states that a component is trustworthy to at least a level commensurate with the security dependencies it supports (i.e., how much it is trusted to perform its security functions by other components). This principle enables the composition of components such that trustworthiness is not inadvertently diminished and the trust is not consequently misplaced. Ultimately, this principle demands some metric by which the trust in a component and the trustworthiness of a component can be measured on the same abstract scale. The principle of trusted components is particularly relevant when considering systems and components in which there are complex chains of trust dependencies. A trust dependency is also referred to as a trust relationship and there may be chains of trust relationships.

@@ -58241,8 +55422,7 @@ -

- implement the security design principle of trusted components.

+

implement the security design principle of trusted components.

 @@ -58285,33 +55465,26 @@ - -

systems or system components that implement the security design principle of hierarchical trust are defined;

- + +

systems or system components that implement the security design principle of hierarchical trust are defined;

+ - - - + + + -

Implement the security design principle of hierarchical trust in .

+

Implement the security design principle of hierarchical trust in .

 -

The principle of hierarchical trust for components builds on the principle of trusted components and states that the security dependencies in a system will form a partial ordering if they preserve the principle of trusted components. The partial ordering provides the basis for trustworthiness reasoning or an assurance case (assurance argument) when composing a secure system from heterogeneously trustworthy components. To analyze a system composed of heterogeneously trustworthy components for its trustworthiness, it is essential to eliminate circular dependencies with regard to the trustworthiness. If a more trustworthy component located in a lower layer of the system were to depend on a less trustworthy component in a higher layer, this would, in effect, put the components in the same less trustworthy equivalence class per the principle of trusted components. Trust relationships, or chains of trust, can have various manifestations. For example, the root certificate of a certificate hierarchy is the most trusted node in the hierarchy, whereas the leaves in the hierarchy may be the least trustworthy nodes. Another example occurs in a layered high-assurance system where the security kernel (including the hardware base), which is located at the lowest layer of the system, is the most trustworthy component. The principle of hierarchical trust, however, does not prohibit the use of overly trustworthy components. There may be cases in a system of low trustworthiness where it is reasonable to employ a highly trustworthy component rather than one that is less trustworthy (e.g., due to availability or other cost-benefit driver). For such a case, any dependency of the highly trustworthy component upon a less trustworthy component does not degrade the trustworthiness of the resulting low-trust system.

+

The principle of hierarchical trust for components builds on the principle of trusted components and states that the security dependencies in a system will form a partial ordering if they preserve the principle of trusted components. The partial ordering provides the basis for trustworthiness reasoning or an assurance case (assurance argument) when composing a secure system from heterogeneously trustworthy components. To analyze a system composed of heterogeneously trustworthy components for its trustworthiness, it is essential to eliminate circular dependencies with regard to the trustworthiness. If a more trustworthy component located in a lower layer of the system were to depend on a less trustworthy component in a higher layer, this would, in effect, put the components in the same less trustworthy equivalence class per the principle of trusted components. Trust relationships, or chains of trust, can have various manifestations. For example, the root certificate of a certificate hierarchy is the most trusted node in the hierarchy, whereas the leaves in the hierarchy may be the least trustworthy nodes. Another example occurs in a layered high-assurance system where the security kernel (including the hardware base), which is located at the lowest layer of the system, is the most trustworthy component. The principle of hierarchical trust, however, does not prohibit the use of overly trustworthy components. There may be cases in a system of low trustworthiness where it is reasonable to employ a highly trustworthy component rather than one that is less trustworthy (e.g., due to availability or other cost-benefit driver). For such a case, any dependency of the highly trustworthy component upon a less trustworthy component does not degrade the trustworthiness of the resulting low-trust system.

 -

- implement the security design principle of hierarchical trust.

+

implement the security design principle of hierarchical trust.

 @@ -58351,33 +55524,26 @@ - -

systems or system components that implement the security design principle of inverse modification threshold are defined;

- + +

systems or system components that implement the security design principle of inverse modification threshold are defined;

+ - - - + + + -

Implement the security design principle of inverse modification threshold in .

+

Implement the security design principle of inverse modification threshold in .

The principle of inverse modification threshold builds on the principle of trusted components and the principle of hierarchical trust and states that the degree of protection provided to a component is commensurate with its trustworthiness. As the trust placed in a component increases, the protection against unauthorized modification of the component also increases to the same degree. Protection from unauthorized modification can come in the form of the component’s own self-protection and innate trustworthiness, or it can come from the protections afforded to the component from other elements or attributes of the security architecture (to include protections in the environment of operation).

 -

- implement the security design principle of inverse modification threshold.

+

implement the security design principle of inverse modification threshold.

 @@ -58417,33 +55583,26 @@ - -

systems or system components that implement the security design principle of hierarchical protection are defined;

- + +

systems or system components that implement the security design principle of hierarchical protection are defined;

+ - - - + + + -

Implement the security design principle of hierarchical protection in .

+

Implement the security design principle of hierarchical protection in .

 -

The principle of hierarchical protection states that a component need not be protected from more trustworthy components. In the degenerate case of the most trusted component, it protects itself from all other components. For example, if an operating system kernel is deemed the most trustworthy component in a system, then it protects itself from all untrusted applications it supports, but the applications, conversely, do not need to protect themselves from the kernel. The trustworthiness of users is a consideration for applying the principle of hierarchical protection. A trusted system need not protect itself from an equally trustworthy user, reflecting use of untrusted systems in system high environments where users are highly trustworthy and where other protections are put in place to bound and protect the system high execution environment.

+

The principle of hierarchical protection states that a component need not be protected from more trustworthy components. In the degenerate case of the most trusted component, it protects itself from all other components. For example, if an operating system kernel is deemed the most trustworthy component in a system, then it protects itself from all untrusted applications it supports, but the applications, conversely, do not need to protect themselves from the kernel. The trustworthiness of users is a consideration for applying the principle of hierarchical protection. A trusted system need not protect itself from an equally trustworthy user, reflecting use of untrusted systems in system high environments where users are highly trustworthy and where other protections are put in place to bound and protect the system high execution environment.

 -

- implement the security design principle of hierarchical protection.

+

implement the security design principle of hierarchical protection.

 @@ -58483,33 +55642,26 @@ - -

systems or system components that implement the security design principle of minimized security elements are defined;

- + +

systems or system components that implement the security design principle of minimized security elements are defined;

+ - - - + + + -

Implement the security design principle of minimized security elements in .

+

Implement the security design principle of minimized security elements in .

The principle of minimized security elements states that the system does not have extraneous trusted components. The principle of minimized security elements has two aspects: the overall cost of security analysis and the complexity of security analysis. Trusted components are generally costlier to construct and implement, owing to the increased rigor of development processes. Trusted components require greater security analysis to qualify their trustworthiness. Thus, to reduce the cost and decrease the complexity of the security analysis, a system contains as few trustworthy components as possible. The analysis of the interaction of trusted components with other components of the system is one of the most important aspects of system security verification. If the interactions between components are unnecessarily complex, the security of the system will also be more difficult to ascertain than one whose internal trust relationships are simple and elegantly constructed. In general, fewer trusted components result in fewer internal trust relationships and a simpler system.

 -

- implement the security design principle of minimized security elements.

+

implement the security design principle of minimized security elements.

 @@ -58549,27 +55701,21 @@ - -

systems or system components that implement the security design principle of least privilege are defined;

- + +

systems or system components that implement the security design principle of least privilege are defined;

+ - - - + + + -

Implement the security design principle of least privilege in .

+

Implement the security design principle of least privilege in .

The principle of least privilege states that each system component is allocated sufficient privileges to accomplish its specified functions but no more. Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects: the security impact of a failure, corruption, or misuse of the component will have a minimized security impact, and the security analysis of the component will be simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has need to view the audit data that has been collected but no need to perform operations on that data.

@@ -58577,8 +55723,7 @@ -

- implement the security design principle of least privilege.

+

implement the security design principle of least privilege.

 @@ -58618,34 +55763,27 @@ - -

systems or system components that implement the security design principle of predicate permission are defined;

- + +

systems or system components that implement the security design principle of predicate permission are defined;

+ - - - + + + -

Implement the security design principle of predicate permission in .

+

Implement the security design principle of predicate permission in .

 -

The principle of predicate permission states that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation or access to highly sensitive data, information, or resources is allowed to proceed. SALTZER75 originally named predicate permission the separation of privilege. It is also equivalent to separation of duty. The division of privilege among multiple parties decreases the likelihood of abuse and provides the safeguard that no single accident, deception, or breach of trust is sufficient to enable an unrecoverable action that can lead to significantly damaging effects. The design options for such a mechanism may require simultaneous action (e.g., the firing of a nuclear weapon requires two different authorized individuals to give the correct command within a small time window) or a sequence of operations where each successive action is enabled by some prior action, but no single individual is able to enable more than one action.

+

The principle of predicate permission states that system designers consider requiring multiple authorized entities to provide consent before a highly critical operation or access to highly sensitive data, information, or resources is allowed to proceed. SALTZER75 originally named predicate permission the separation of privilege. It is also equivalent to separation of duty. The division of privilege among multiple parties decreases the likelihood of abuse and provides the safeguard that no single accident, deception, or breach of trust is sufficient to enable an unrecoverable action that can lead to significantly damaging effects. The design options for such a mechanism may require simultaneous action (e.g., the firing of a nuclear weapon requires two different authorized individuals to give the correct command within a small time window) or a sequence of operations where each successive action is enabled by some prior action, but no single individual is able to enable more than one action.

 -

- implement the security design principle of predicate permission.

+

implement the security design principle of predicate permission.

 @@ -58685,33 +55823,26 @@ - -

systems or system components that implement the security design principle of self-reliant trustworthiness are defined;

- + +

systems or system components that implement the security design principle of self-reliant trustworthiness are defined;

+ - - - + + + -

Implement the security design principle of self-reliant trustworthiness in .

+

Implement the security design principle of self-reliant trustworthiness in .

The principle of self-reliant trustworthiness states that systems minimize their reliance on other systems for their own trustworthiness. A system is trustworthy by default, and any connection to an external entity is used to supplement its function. If a system were required to maintain a connection with another external entity in order to maintain its trustworthiness, then that system would be vulnerable to malicious and non-malicious threats that could result in the loss or degradation of that connection. The benefit of the principle of self-reliant trustworthiness is that the isolation of a system will make it less vulnerable to attack. A corollary to this principle relates to the ability of the system (or system component) to operate in isolation and then resynchronize with other components when it is rejoined with them.

 -

- implement the security design principle of self-reliant trustworthiness.

+

implement the security design principle of self-reliant trustworthiness.

 @@ -58751,33 +55882,26 @@ - -

systems or system components that implement the security design principle of secure distributed composition are defined;

- + +

systems or system components that implement the security design principle of secure distributed composition are defined;

+ - - - + + + -

Implement the security design principle of secure distributed composition in .

+

Implement the security design principle of secure distributed composition in .

The principle of secure distributed composition states that the composition of distributed components that enforce the same system security policy result in a system that enforces that policy at least as well as the individual components do. Many of the design principles for secure systems deal with how components can or should interact. The need to create or enable a capability from the composition of distributed components can magnify the relevancy of these principles. In particular, the translation of security policy from a stand-alone to a distributed system or a system-of-systems can have unexpected or emergent results. Communication protocols and distributed data consistency mechanisms help to ensure consistent policy enforcement across a distributed system. To ensure a system-wide level of assurance of correct policy enforcement, the security architecture of a distributed composite system is thoroughly analyzed.

 -

- implement the security design principle of secure distributed composition.

+

implement the security design principle of secure distributed composition.

 @@ -58817,36 +55941,29 @@ - -

systems or system components that implement the security design principle of trusted communications channels are defined;

- + +

systems or system components that implement the security design principle of trusted communications channels are defined;

+ - - - + + + -

Implement the security design principle of trusted communications channels in .

+

Implement the security design principle of trusted communications channels in .

The principle of trusted communication channels states that when composing a system where there is a potential threat to communications between components (i.e., the interconnections between components), each communication channel is trustworthy to a level commensurate with the security dependencies it supports (i.e., how much it is trusted by other components to perform its security functions). Trusted communication channels are achieved by a combination of restricting access to the communication channel (to ensure an acceptable match in the trustworthiness of the endpoints involved in the communication) and employing end-to-end protections for the data transmitted over the communication channel (to protect against interception and modification and to further increase the assurance of proper end-to-end communication).

 -

- implement the security design principle of trusted communications channels.

+

implement the security design principle of trusted communications channels.

 @@ -58886,26 +56003,20 @@ - -

systems or system components that implement the security design principle of continuous protection are defined;

- + +

systems or system components that implement the security design principle of continuous protection are defined;

+ - - - + + + -

Implement the security design principle of continuous protection in .

+

Implement the security design principle of continuous protection in .

The principle of continuous protection states that components and data used to enforce the security policy have uninterrupted protection that is consistent with the security policy and the security architecture assumptions. No assurances that the system can provide the confidentiality, integrity, availability, and privacy protections for its design capability can be made if there are gaps in the protection. Any assurances about the ability to secure a delivered capability require that data and information are continuously protected. That is, there are no periods during which data and information are left unprotected while under control of the system (i.e., during the creation, storage, processing, or communication of the data and information, as well as during system initialization, execution, failure, interruption, and shutdown). Continuous protection requires adherence to the precepts of the reference monitor concept (i.e., every request is validated by the reference monitor; the reference monitor is able to protect itself from tampering; and sufficient assurance of the correctness and completeness of the mechanism can be ascertained from analysis and testing) and the principle of secure failure and recovery (i.e., preservation of a secure state during error, fault, failure, and successful attack; preservation of a secure state during recovery to normal, degraded, or alternative operational modes).

@@ -58913,8 +56024,7 @@ -

- implement the security design principle of continuous protection.

+

implement the security design principle of continuous protection.

 @@ -58963,34 +56073,27 @@ - -

systems or system components that implement the security design principle of secure metadata management are defined;

- + +

systems or system components that implement the security design principle of secure metadata management are defined;

+ - - - + + + -

Implement the security design principle of secure metadata management in .

+

Implement the security design principle of secure metadata management in .

 -

The principle of secure metadata management states that metadata are first class objects with respect to security policy when the policy requires either complete protection of information or that the security subsystem be self-protecting. The principle of secure metadata management is driven by the recognition that a system, subsystem, or component cannot achieve self-protection unless it protects the data it relies on for correct execution. Data is generally not interpreted by the system that stores it. It may have semantic value (i.e., it comprises information) to users and programs that process the data. In contrast, metadata is information about data, such as a file name or the date when the file was created. Metadata is bound to the target data that it describes in a way that the system can interpret, but it need not be stored inside of or proximate to its target data. There may be metadata whose target is itself metadata (e.g., the classification level or impact level of a file name), including self-referential metadata.

+

The principle of secure metadata management states that metadata are first class objects with respect to security policy when the policy requires either complete protection of information or that the security subsystem be self-protecting. The principle of secure metadata management is driven by the recognition that a system, subsystem, or component cannot achieve self-protection unless it protects the data it relies on for correct execution. Data is generally not interpreted by the system that stores it. It may have semantic value (i.e., it comprises information) to users and programs that process the data. In contrast, metadata is information about data, such as a file name or the date when the file was created. Metadata is bound to the target data that it describes in a way that the system can interpret, but it need not be stored inside of or proximate to its target data. There may be metadata whose target is itself metadata (e.g., the classification level or impact level of a file name), including self-referential metadata.

The apparent secondary nature of metadata can lead to neglect of its legitimate need for protection, resulting in a violation of the security policy that includes the exfiltration of information. A particular concern associated with insufficient protections for metadata is associated with multilevel secure (MLS) systems. MLS systems mediate access by a subject to an object based on relative sensitivity levels. It follows that all subjects and objects in the scope of control of the MLS system are either directly labeled or indirectly attributed with sensitivity levels. The corollary of labeled metadata for MLS systems states that objects containing metadata are labeled. As with protection needs assessments for data, attention is given to ensure that the confidentiality and integrity protections are individually assessed, specified, and allocated to metadata, as would be done for mission, business, and system data.

 -

- implement the security design principle of secure metadata management.

+

implement the security design principle of secure metadata management.

 @@ -59030,34 +56133,27 @@ - -

systems or system components that implement the security design principle of self-analysis are defined;

- + +

systems or system components that implement the security design principle of self-analysis are defined;

+ - - - + + + -

Implement the security design principle of self-analysis in .

+

Implement the security design principle of self-analysis in .

The principle of self-analysis states that a system component is able to assess its internal state and functionality to a limited extent at various stages of execution, and that this self-analysis capability is commensurate with the level of trustworthiness invested in the system. At the system level, self-analysis can be achieved through hierarchical assessments of trustworthiness established in a bottom-up fashion. In this approach, the lower-level components check for data integrity and correct functionality (to a limited extent) of higher-level components. For example, trusted boot sequences involve a trusted lower-level component that attests to the trustworthiness of the next higher-level components so that a transitive chain of trust can be established. At the root, a component attests to itself, which usually involves an axiomatic or environmentally enforced assumption about its integrity. Results of the self-analyses can be used to guard against externally induced errors, internal malfunction, or transient errors. By following this principle, some simple malfunctions or errors can be detected without allowing the effects of the error or malfunction to propagate outside of the component. Further, the self-test can be used to attest to the configuration of the component, detecting any potential conflicts in configuration with respect to the expected configuration.

 -

- implement the security design principle of self-analysis.

+

implement the security design principle of self-analysis.

 @@ -59094,40 +56190,30 @@ Accountability and Traceability - - + + - -

systems or system components that implement the security design principle of accountability are defined;

- + +

systems or system components that implement the security design principle of accountability are defined;

+ - -

systems or system components that implement the security design principle of traceability are defined;

- + +

systems or system components that implement the security design principle of traceability are defined;

+ - - - + + + @@ -59139,7 +56225,7 @@ -

Implement the security design principle of accountability and traceability in .

+

Implement the security design principle of accountability and traceability in .

The principle of accountability and traceability states that it is possible to trace security-relevant actions (i.e., subject-object interactions) to the entity on whose behalf the action is being taken. The principle of accountability and traceability requires a trustworthy infrastructure that can record details about actions that affect system security (e.g., an audit subsystem). To record the details about actions, the system is able to uniquely identify the entity on whose behalf the action is being carried out and also record the relevant sequence of actions that are carried out. The accountability policy also requires that audit trail itself be protected from unauthorized access and modification. The principle of least privilege assists in tracing the actions to particular entities, as it increases the granularity of accountability. Associating specific actions with system entities, and ultimately with users, and making the audit trail secure against unauthorized access and modifications provide non-repudiation because once an action is recorded, it is not possible to change the audit trail. Another important function that accountability and traceability serves is in the routine and forensic analysis of events associated with the violation of security policy. Analysis of audit logs may provide additional information that may be helpful in determining the path or component that allowed the violation of the security policy and the actions of individuals associated with the violation of the security policy.

@@ -59148,13 +56234,11 @@ -

- implement the security design principle of accountability;

+

implement the security design principle of accountability;

 -

- implement the security design principle of traceability.

+

implement the security design principle of traceability.

 @@ -59207,38 +56291,31 @@ - -

systems or system components that implement the security design principle of secure defaults are defined;

- + +

systems or system components that implement the security design principle of secure defaults are defined;

+ - - - + + + -

Implement the security design principle of secure defaults in .

+

Implement the security design principle of secure defaults in .

 -

The principle of secure defaults states that the default configuration of a system (including its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. The principle of secure defaults applies to the initial (i.e., default) configuration of a system as well as to the security engineering and design of access control and other security functions that follow a deny unless explicitly authorized strategy. The initial configuration aspect of this principle requires that any as shipped configuration of a system, subsystem, or system component does not aid in the violation of the security policy and can prevent the system from operating in the default configuration for those cases where the security policy itself requires configuration by the operational user.

-

Restrictive defaults mean that the system will operate as-shipped with adequate self-protection and be able to prevent security breaches before the intended security policy and system configuration is established. In cases where the protection provided by the as-shipped product is inadequate, stakeholders assess the risk of using it prior to establishing a secure initial state. Adherence to the principle of secure defaults guarantees that a system is established in a secure state upon successfully completing initialization. In situations where the system fails to complete initialization, either it will perform a requested operation using secure defaults or it will not perform the operation. Refer to the principles of continuous protection and secure failure and recovery that parallel this principle to provide the ability to detect and recover from failure.

+

The principle of secure defaults states that the default configuration of a system (including its constituent subsystems, components, and mechanisms) reflects a restrictive and conservative enforcement of security policy. The principle of secure defaults applies to the initial (i.e., default) configuration of a system as well as to the security engineering and design of access control and other security functions that follow a deny unless explicitly authorized strategy. The initial configuration aspect of this principle requires that any as shipped configuration of a system, subsystem, or system component does not aid in the violation of the security policy and can prevent the system from operating in the default configuration for those cases where the security policy itself requires configuration by the operational user.

+

Restrictive defaults mean that the system will operate as-shipped with adequate self-protection and be able to prevent security breaches before the intended security policy and system configuration is established. In cases where the protection provided by the as-shipped product is inadequate, stakeholders assess the risk of using it prior to establishing a secure initial state. Adherence to the principle of secure defaults guarantees that a system is established in a secure state upon successfully completing initialization. In situations where the system fails to complete initialization, either it will perform a requested operation using secure defaults or it will not perform the operation. Refer to the principles of continuous protection and secure failure and recovery that parallel this principle to provide the ability to detect and recover from failure.

The security engineering approach to this principle states that security mechanisms deny requests unless the request is found to be well-formed and consistent with the security policy. The insecure alternative is to allow a request unless it is shown to be inconsistent with the policy. In a large system, the conditions that are satisfied to grant a request that is denied by default are often far more compact and complete than those that would need to be checked in order to deny a request that is granted by default.

 -

- implement the security design principle of secure defaults.

+

implement the security design principle of secure defaults.

 @@ -59284,40 +56361,30 @@ Secure Failure and Recovery - - + + - -

systems or system components that implement the security design principle of secure failure are defined;

- + +

systems or system components that implement the security design principle of secure failure are defined;

+ - -

systems or system components that implement the security design principle of secure recovery are defined;

- + +

systems or system components that implement the security design principle of secure recovery are defined;

+ - - - + + + @@ -59326,25 +56393,23 @@ -

Implement the security design principle of secure failure and recovery in .

+

Implement the security design principle of secure failure and recovery in .

The principle of secure failure and recovery states that neither a failure in a system function or mechanism nor any recovery action in response to failure leads to a violation of security policy. The principle of secure failure and recovery parallels the principle of continuous protection to ensure that a system is capable of detecting (within limits) actual and impending failure at any stage of its operation (i.e., initialization, normal operation, shutdown, and maintenance) and to take appropriate steps to ensure that security policies are not violated. In addition, when specified, the system is capable of recovering from impending or actual failure to resume normal, degraded, or alternative secure operations while ensuring that a secure state is maintained such that security policies are not violated.

Failure is a condition in which the behavior of a component deviates from its specified or expected behavior for an explicitly documented input. Once a failed security function is detected, the system may reconfigure itself to circumvent the failed component while maintaining security and provide all or part of the functionality of the original system, or it may completely shut itself down to prevent any further violation of security policies. For this to occur, the reconfiguration functions of the system are designed to ensure continuous enforcement of security policy during the various phases of reconfiguration.

-

Another technique that can be used to recover from failures is to perform a rollback to a secure state (which may be the initial state) and then either shutdown or replace the service or component that failed such that secure operations may resume. Failure of a component may or may not be detectable to the components using it. The principle of secure failure indicates that components fail in a state that denies rather than grants access. For example, a nominally atomic operation interrupted before completion does not violate security policy and is designed to handle interruption events by employing higher-level atomicity and rollback mechanisms (e.g., transactions). If a service is being used, its atomicity properties are well-documented and characterized so that the component availing itself of that service can detect and handle interruption events appropriately. For example, a system is designed to gracefully respond to disconnection and support resynchronization and data consistency after disconnection.

+

Another technique that can be used to recover from failures is to perform a rollback to a secure state (which may be the initial state) and then either shutdown or replace the service or component that failed such that secure operations may resume. Failure of a component may or may not be detectable to the components using it. The principle of secure failure indicates that components fail in a state that denies rather than grants access. For example, a nominally atomic operation interrupted before completion does not violate security policy and is designed to handle interruption events by employing higher-level atomicity and rollback mechanisms (e.g., transactions). If a service is being used, its atomicity properties are well-documented and characterized so that the component availing itself of that service can detect and handle interruption events appropriately. For example, a system is designed to gracefully respond to disconnection and support resynchronization and data consistency after disconnection.

Failure protection strategies that employ replication of policy enforcement mechanisms, sometimes called defense in depth, can allow the system to continue in a secure state even when one mechanism has failed to protect the system. If the mechanisms are similar, however, the additional protection may be illusory, as the adversary can simply attack in series. Similarly, in a networked system, breaking the security on one system or service may enable an attacker to do the same on other similar replicated systems and services. By employing multiple protection mechanisms whose features are significantly different, the possibility of attack replication or repetition can be reduced. Analyses are conducted to weigh the costs and benefits of such redundancy techniques against increased resource usage and adverse effects on the overall system performance. Additional analyses are conducted as the complexity of these mechanisms increases, as could be the case for dynamic behaviors. Increased complexity generally reduces trustworthiness. When a resource cannot be continuously protected, it is critical to detect and repair any security breaches before the resource is once again used in a secure context.

 -

- implement the security design principle of secure failure;

+

implement the security design principle of secure failure;

 -

- implement the security design principle of secure recovery.

+

implement the security design principle of secure recovery.

 @@ -59401,34 +56466,27 @@ - -

systems or system components that implement the security design principle of economic security are defined;

- + +

systems or system components that implement the security design principle of economic security are defined;

+ - - - + + + -

Implement the security design principle of economic security in .

+

Implement the security design principle of economic security in .

The principle of economic security states that security mechanisms are not costlier than the potential damage that could occur from a security breach. This is the security-relevant form of the cost-benefit analyses used in risk management. The cost assumptions of cost-benefit analysis prevent the system designer from incorporating security mechanisms of greater strength than necessary, where strength of mechanism is proportional to cost. The principle of economic security also requires analysis of the benefits of assurance relative to the cost of that assurance in terms of the effort expended to obtain relevant and credible evidence as well as the necessary analyses to assess and draw trustworthiness and risk conclusions from the evidence.

 -

- implement the security design principle of economic security.

+

implement the security design principle of economic security.

 @@ -59469,29 +56527,23 @@ - -

systems or system components that implement the security design principle of performance security are defined;

- + +

systems or system components that implement the security design principle of performance security are defined;

+ - - - + + + -

Implement the security design principle of performance security in .

+

Implement the security design principle of performance security in .

The principle of performance security states that security mechanisms are constructed so that they do not degrade system performance unnecessarily. Stakeholder and system design requirements for performance and security are precisely articulated and prioritized. For the system implementation to meet its design requirements and be found acceptable to stakeholders (i.e., validation against stakeholder requirements), the designers adhere to the specified constraints that capability performance needs place on protection needs. The overall impact of computationally intensive security services (e.g., cryptography) are assessed and demonstrated to pose no significant impact to higher-priority performance considerations or are deemed to provide an acceptable trade-off of performance for trustworthy protection. The trade-off considerations include less computationally intensive security services unless they are unavailable or insufficient. The insufficiency of a security service is determined by functional capability and strength of mechanism. The strength of mechanism is selected with respect to security requirements, performance-critical overhead issues (e.g., cryptographic key management), and an assessment of the capability of the threat.

@@ -59499,8 +56551,7 @@ -

- implement the security design principle of performance security.

+

implement the security design principle of performance security.

 @@ -59541,33 +56592,26 @@ - -

systems or system components that implement the security design principle of human factored security are defined;

- + +

systems or system components that implement the security design principle of human factored security are defined;

+ - - - + + + -

Implement the security design principle of human factored security in .

+

Implement the security design principle of human factored security in .

The principle of human factored security states that the user interface for security functions and supporting services is intuitive, user-friendly, and provides feedback for user actions that affect such policy and its enforcement. The mechanisms that enforce security policy are not intrusive to the user and are designed not to degrade user efficiency. Security policy enforcement mechanisms also provide the user with meaningful, clear, and relevant feedback and warnings when insecure choices are being made. Particular attention is given to interfaces through which personnel responsible for system administration and operation configure and set up the security policies. Ideally, these personnel are able to understand the impact of their choices. Personnel with system administrative and operational responsibilities are able to configure systems before start-up and administer them during runtime with confidence that their intent is correctly mapped to the system’s mechanisms. Security services, functions, and mechanisms do not impede or unnecessarily complicate the intended use of the system. There is a trade-off between system usability and the strictness necessary for security policy enforcement. If security mechanisms are frustrating or difficult to use, then users may disable them, avoid them, or use them in ways inconsistent with the security requirements and protection needs that the mechanisms were designed to satisfy.

 -

- implement the security design principle of human factored security.

+

implement the security design principle of human factored security.

 @@ -59610,33 +56654,26 @@ - -

systems or system components that implement the security design principle of acceptable security are defined;

- + +

systems or system components that implement the security design principle of acceptable security are defined;

+ - - - + + + -

Implement the security design principle of acceptable security in .

+

Implement the security design principle of acceptable security in .

The principle of acceptable security requires that the level of privacy and performance that the system provides is consistent with the users’ expectations. The perception of personal privacy may affect user behavior, morale, and effectiveness. Based on the organizational privacy policy and the system design, users should be able to restrict their actions to protect their privacy. When systems fail to provide intuitive interfaces or meet privacy and performance expectations, users may either choose to completely avoid the system or use it in ways that may be inefficient or even insecure.

 -

- implement the security design principle of acceptable security.

+

implement the security design principle of acceptable security.

 @@ -59682,22 +56719,16 @@ - -

systems or system components that implement the security design principle of repeatable and documented procedures are defined;

- + +

systems or system components that implement the security design principle of repeatable and documented procedures are defined;

+ - - - + + + @@ -59708,15 +56739,14 @@ -

Implement the security design principle of repeatable and documented procedures in .

+

Implement the security design principle of repeatable and documented procedures in .

The principle of repeatable and documented procedures states that the techniques and methods employed to construct a system component permit the same component to be completely and correctly reconstructed at a later time. Repeatable and documented procedures support the development of a component that is identical to the component created earlier, which may be in widespread use. In the case of other system artifacts (e.g., documentation and testing results), repeatability supports consistency and the ability to inspect the artifacts. Repeatable and documented procedures can be introduced at various stages within the system development life cycle and contribute to the ability to evaluate assurance claims for the system. Examples include systematic procedures for code development and review, procedures for the configuration management of development tools and system artifacts, and procedures for system delivery.

 -

- implement the security design principle of repeatable and documented procedures.

+

implement the security design principle of repeatable and documented procedures.

 @@ -59757,25 +56787,19 @@ - -

systems or system components that implement the security design principle of procedural rigor are defined;

- + +

systems or system components that implement the security design principle of procedural rigor are defined;

+ - - - + + + -

Implement the security design principle of procedural rigor in .

+

Implement the security design principle of procedural rigor in .

The principle of procedural rigor states that the rigor of a system life cycle process is commensurate with its intended trustworthiness. Procedural rigor defines the scope, depth, and detail of the system life cycle procedures. Rigorous system life cycle procedures contribute to the assurance that the system is correct and free of unintended functionality in several ways. First, the procedures impose checks and balances on the life cycle process such that the introduction of unspecified functionality is prevented.

@@ -59784,8 +56808,7 @@ -

- implement the security design principle of procedural rigor.

+

implement the security design principle of procedural rigor.

 @@ -59826,35 +56849,28 @@ - -

systems or system components that implement the security design principle of secure system modification are defined;

- + +

systems or system components that implement the security design principle of secure system modification are defined;

+ - - - + + + -

Implement the security design principle of secure system modification in .

+

Implement the security design principle of secure system modification in .

The principle of secure system modification states that system modification maintains system security with respect to the security requirements and risk tolerance of stakeholders. Upgrades or modifications to systems can transform secure systems into systems that are not secure. The procedures for system modification ensure that if the system is to maintain its trustworthiness, the same rigor that was applied to its initial development is applied to any system changes. Because modifications can affect the ability of the system to maintain its secure state, a careful security analysis of the modification is needed prior to its implementation and deployment. This principle parallels the principle of secure evolvability.

 -

- implement the security design principle of secure system modification.

+

implement the security design principle of secure system modification.

 @@ -59900,36 +56916,29 @@ - -

systems or system components that implement the security design principle of sufficient documentation are defined;

- + +

systems or system components that implement the security design principle of sufficient documentation are defined;

+ - - - + + + -

Implement the security design principle of sufficient documentation in .

+

Implement the security design principle of sufficient documentation in .

The principle of sufficient documentation states that organizational personnel with responsibilities to interact with the system are provided with adequate documentation and other information such that the personnel contribute to rather than detract from system security. Despite attempts to comply with principles such as human factored security and acceptable security, systems are inherently complex, and the design intent for the use of security mechanisms and the ramifications of the misuse or misconfiguration of security mechanisms are not always intuitively obvious. Uninformed and insufficiently trained users can introduce vulnerabilities due to errors of omission and commission. The availability of documentation and training can help to ensure a knowledgeable cadre of personnel, all of whom have a critical role in the achievement of principles such as continuous protection. Documentation is written clearly and supported by training that provides security awareness and understanding of security-relevant responsibilities.

 -

- implement the security design principle of sufficient documentation.

+

implement the security design principle of sufficient documentation.

 @@ -59975,36 +56984,30 @@ - -

processes that implement the privacy principle of minimization are defined;

- + +

processes that implement the privacy principle of minimization are defined;

+ - - - + + + -

Implement the privacy principle of minimization using .

+

Implement the privacy principle of minimization using .

The principle of minimization states that organizations should only process personally identifiable information that is directly relevant and necessary to accomplish an authorized purpose and should only maintain personally identifiable information for as long as is necessary to accomplish the purpose. Organizations have processes in place, consistent with applicable laws and policies, to implement the principle of minimization.

 -

the privacy principle of minimization is implemented using .

+

the privacy principle of minimization is implemented using .

 @@ -60054,27 +57057,23 @@ - -

controls to be employed by external system service providers are defined;

- + +

controls to be employed by external system service providers are defined;

+ - -

processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

- + +

processes, methods, and techniques employed to monitor control compliance by external service providers are defined;

+ - - + + @@ -60095,7 +57094,7 @@ -

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

+

Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: ;

 @@ -60103,7 +57102,7 @@ -

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

+

Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: .

 @@ -60123,7 +57122,7 @@ -

providers of external system services employ ;

+

providers of external system services employ ;

 @@ -60139,8 +57138,7 @@ -

- are employed to monitor control compliance by external service providers on an ongoing basis.

+

are employed to monitor control compliance by external service providers on an ongoing basis.

 @@ -60187,19 +57185,15 @@ - -

personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;

- + +

personnel or roles that approve the acquisition or outsourcing of dedicated information security services is/are defined;

+ - - + + @@ -60211,7 +57205,7 @@ -

Verify that the acquisition or outsourcing of dedicated information security services is approved by .

+

Verify that the acquisition or outsourcing of dedicated information security services is approved by .

 @@ -60225,8 +57219,7 @@ -

- approve the acquisition or outsourcing of dedicated information security services.

+

approve the acquisition or outsourcing of dedicated information security services.

 @@ -60273,31 +57266,27 @@ - -

external system services that require the identification of functions, ports, protocols, and other services are defined;

- + +

external system services that require the identification of functions, ports, protocols, and other services are defined;

+ - - + + -

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

+

Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: .

Information from external service providers regarding the specific functions, ports, protocols, and services used in the provision of such services can be useful when the need arises to understand the trade-offs involved in restricting certain functions and services or blocking certain ports and protocols.

 -

providers of are required to identify the functions, ports, protocols, and other services required for the use of such services.

+

providers of are required to identify the functions, ports, protocols, and other services required for the use of such services.

 @@ -60330,41 +57319,33 @@ Establish and Maintain Trust Relationship with Providers - - + + - -

security requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;

- + +

security requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;

+ - -

privacy requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;

- + +

privacy requirements, properties, factors, or conditions defining acceptable trust relationships on which a trust relationship is maintained are defined;

+ - - + + -

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: .

+

Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: .

Trust relationships between organizations and external service providers reflect the degree of confidence that the risk from using external services is at an acceptable level. Trust relationships can help organizations gain increased levels of confidence that service providers are providing adequate protection for the services rendered and can also be useful when conducting incident response or when planning for upgrades or obsolescence. Trust relationships can be complicated due to the potentially large number of entities participating in the consumer-provider interactions, subordinate relationships and levels of trust, and types of interactions between the parties. In some cases, the degree of trust is based on the level of control that organizations can exert on external service providers regarding the controls necessary for the protection of the service, information, or individual privacy and the evidence brought forth as to the effectiveness of the implemented controls. The level of control is established by the terms and conditions of the contracts or service-level agreements.

@@ -60373,19 +57354,19 @@ -

trust relationships with external service provides based on are established and documented;

+

trust relationships with external service provides based on are established and documented;

 -

trust relationships with external service provides based on are maintained;

+

trust relationships with external service provides based on are maintained;

 -

trust relationships with external service provides based on are established and documented;

+

trust relationships with external service provides based on are established and documented;

 -

trust relationships with external service provides based on are maintained.

+

trust relationships with external service provides based on are maintained.

 @@ -60425,38 +57406,33 @@ - -

external service providers are defined;

- + +

external service providers are defined;

+ - -

actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined;

- + +

actions to be taken to verify that the interests of external service providers are consistent with and reflect organizational interests are defined;

+ - - + + -

Take the following actions to verify that the interests of are consistent with and reflect organizational interests: .

+

Take the following actions to verify that the interests of are consistent with and reflect organizational interests: .

As organizations increasingly use external service providers, it is possible that the interests of the service providers may diverge from organizational interests. In such situations, simply having the required technical, management, or operational controls in place may not be sufficient if the providers that implement and manage those controls are not operating in a manner consistent with the interests of the consuming organizations. Actions that organizations take to address such concerns include requiring background checks for selected service provider personnel; examining ownership records; employing only trustworthy service providers, such as providers with which organizations have had successful trust relationships; and conducting routine, periodic, unscheduled visits to service provider facilities.

 -

- are taken to verify that the interests of are consistent with and reflect organizational interests.

+

are taken to verify that the interests of are consistent with and reflect organizational interests.

 @@ -60510,42 +57486,36 @@ - -

locations where is/are to be restricted are defined;

- + +

locations where is/are to be restricted are defined;

+ - + - -

requirements or conditions for restricting the location of are defined;

- + +

requirements or conditions for restricting the location of are defined;

+ - - + + -

Restrict the location of to based on .

+

Restrict the location of to based on .

The location of information processing, information and data storage, or system services can have a direct impact on the ability of organizations to successfully execute their mission and business functions. The impact occurs when external providers control the location of processing, storage, or services. The criteria that external providers use for the selection of processing, storage, or service locations may be different from the criteria that organizations use. For example, organizations may desire that data or information storage locations be restricted to certain locations to help facilitate incident response activities in case of information security incidents or breaches. Incident response activities, including forensic analyses and after-the-fact investigations, may be adversely affected by the governing laws, policies, or protocols in the locations where processing and storage occur and/or the locations from which system services emanate.

 -

based on , is/are restricted to .

+

based on , is/are restricted to .

 @@ -60590,12 +57560,8 @@ - - + + @@ -60652,12 +57618,8 @@ - - + + @@ -60713,12 +57675,8 @@ - - + + @@ -60785,32 +57743,26 @@ - + - -

configuration items under configuration management are defined;

- + +

configuration items under configuration management are defined;

+ - -

personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;

- + +

personnel to whom security flaws and flaw resolutions within the system, component, or service are reported is/are defined;

+ - - + + @@ -60834,11 +57786,11 @@

Require the developer of the system, system component, or system service to:

-

Perform configuration management during system, component, or service ;

+

Perform configuration management during system, component, or service ;

 -

Document, manage, and control the integrity of changes to ;

+

Document, manage, and control the integrity of changes to ;

 @@ -60850,7 +57802,7 @@ -

Track security flaws and flaw resolution within the system, component, or service and report findings to .

+

Track security flaws and flaw resolution within the system, component, or service and report findings to .

 @@ -60861,21 +57813,21 @@ -

the developer of the system, system component, or system service is required to perform configuration management during system, component, or service ;

+

the developer of the system, system component, or system service is required to perform configuration management during system, component, or service ;

 -

the developer of the system, system component, or system service is required to document the integrity of changes to ;

+

the developer of the system, system component, or system service is required to document the integrity of changes to ;

 -

the developer of the system, system component, or system service is required to manage the integrity of changes to ;

+

the developer of the system, system component, or system service is required to manage the integrity of changes to ;

 -

the developer of the system, system component, or system service is required to control the integrity of changes to ;

+

the developer of the system, system component, or system service is required to control the integrity of changes to ;

 @@ -60909,7 +57861,7 @@ -

the developer of the system, system component, or system service is required to report findings to .

+

the developer of the system, system component, or system service is required to report findings to .

 @@ -60955,12 +57907,8 @@ - - + + @@ -61019,12 +57967,8 @@ - - + +

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

@@ -61082,12 +58026,8 @@ - - + + @@ -61142,18 +58082,14 @@ - - + +

Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code with previous versions.

 -

The trusted generation of descriptions, source code, and object code addresses authorized changes to hardware, software, and firmware components between versions during development. The focus is on the efficacy of the configuration management process by the developer to ensure that newly generated versions of security-relevant hardware descriptions, source code, and object code continue to enforce the security policy for the system, system component, or system service. In contrast, SA-10(1) and SA-10(3) allow organizations to detect unauthorized changes to hardware, software, and firmware components using tools, techniques, or mechanisms provided by developers.

+

The trusted generation of descriptions, source code, and object code addresses authorized changes to hardware, software, and firmware components between versions during development. The focus is on the efficacy of the configuration management process by the developer to ensure that newly generated versions of security-relevant hardware descriptions, source code, and object code continue to enforce the security policy for the system, system component, or system service. In contrast, SA-10(1) and SA-10(3) allow organizations to detect unauthorized changes to hardware, software, and firmware components using tools, techniques, or mechanisms provided by developers.

 @@ -61202,12 +58138,8 @@ - - + +

Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hardware, software, and firmware and the on-site master copy of the data for the current version.

@@ -61262,12 +58194,8 @@ - - + +

Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organization are exactly as specified by the master copies.

@@ -61318,78 +58246,64 @@ Security and Privacy Representatives - - + + - - + + - -

security representatives to be included in the configuration change management and control process are defined;

- + +

security representatives to be included in the configuration change management and control process are defined;

+ - -

privacy representatives to be included in the configuration change management and control process are defined;

- + +

privacy representatives to be included in the configuration change management and control process are defined;

+ - -

configuration change management and control processes in which security representatives are required to be included are defined;

- + +

configuration change management and control processes in which security representatives are required to be included are defined;

+ - -

configuration change management and control processes in which privacy representatives are required to be included are defined;

- + +

configuration change management and control processes in which privacy representatives are required to be included are defined;

+ - - + + -

Require to be included in the .

+

Require to be included in the .

 -

Information security and privacy representatives can include system security officers, senior agency information security officers, senior agency officials for privacy, and system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change management and control process in this control enhancement refers to the change management and control process defined by organizations in SA-10b.

+

Information security and privacy representatives can include system security officers, senior agency information security officers, senior agency officials for privacy, and system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change management and control process in this control enhancement refers to the change management and control process defined by organizations in SA-10b.

 -

- are required to be included in the ;

+

are required to be included in the ;

 -

- are required to be included in the .

+

are required to be included in the .

 @@ -61440,27 +58354,23 @@ - -

frequency at which to conduct testing/evaluation is defined;

- + +

frequency at which to conduct testing/evaluation is defined;

+ - -

depth and coverage of testing/evaluation is defined;

- + +

depth and coverage of testing/evaluation is defined;

+ - - + + @@ -61487,7 +58397,7 @@ -

Perform testing/evaluation at ;

+

Perform testing/evaluation at ;

 @@ -61529,7 +58439,7 @@ -

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation at ;

+

the developer of the system, system component, or system service is required at all post-design stages of the system development life cycle to perform testing/evaluation at ;

 @@ -61598,12 +58508,8 @@ - - + +

Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.

@@ -61670,79 +58576,65 @@ Threat Modeling and Vulnerability Analyses - - + + - - + + - + - -

information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;

- + +

information concerning impact, environment of operations, known or assumed threats, and acceptable risk levels to be used as contextual information for threat modeling and vulnerability analyses is defined;

+ - -

the tools and methods to be employed for threat modeling and vulnerability analyses are defined;

- + +

the tools and methods to be employed for threat modeling and vulnerability analyses are defined;

+ - -

the breadth and depth of threat modeling to be conducted is defined;

- + +

the breadth and depth of threat modeling to be conducted is defined;

+ - -

the breadth and depth of vulnerability analyses to be conducted is defined;

- + +

the breadth and depth of vulnerability analyses to be conducted is defined;

+ - -

acceptance criteria to be met by produced evidence for threat modeling are defined;

- + +

acceptance criteria to be met by produced evidence for threat modeling are defined;

+ - -

acceptance criteria to be met by produced evidence for vulnerability analyses are defined;

- + +

acceptance criteria to be met by produced evidence for vulnerability analyses are defined;

+ - - + + @@ -61751,19 +58643,19 @@

Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service that:

-

Uses the following contextual information: ;

+

Uses the following contextual information: ;

 -

Employs the following tools and methods: ;

+

Employs the following tools and methods: ;

 -

Conducts the modeling and analyses at the following level of rigor: ; and

+

Conducts the modeling and analyses at the following level of rigor: ; and

 -

Produces evidence that meets the following acceptance criteria: .

+

Produces evidence that meets the following acceptance criteria: .

 @@ -61775,68 +58667,68 @@ -

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses ;

+

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that uses ;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses ;

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that uses ;

 -

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses ;

+

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that uses ;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses ;

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that uses ;

 -

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs ;

+

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that employs ;

 -

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs ;

+

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that employs ;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs ;

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that employs ;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs ;

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that employs ;

 -

the developer of the system, system component, or system service is required to perform threat modeling at during development of the system, component, or service;

+

the developer of the system, system component, or system service is required to perform threat modeling at during development of the system, component, or service;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at ;

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that conducts modeling and analyses at ;

 -

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets ;

+

the developer of the system, system component, or system service is required to perform threat modeling during development of the system, component, or service that produces evidence that meets ;

 -

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets ;

+

the developer of the system, system component, or system service is required to perform threat modeling during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets ;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets ;

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during development of the system, component, or service that produces evidence that meets ;

 -

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets .

+

the developer of the system, system component, or system service is required to perform vulnerability analyses during the subsequent testing and evaluation of the system, component, or service that produces evidence that meets .

 @@ -61886,26 +58778,22 @@ - -

independence criteria to be satisfied by an independent agent are defined;

- + +

independence criteria to be satisfied by an independent agent are defined;

+ - - + + -

Require an independent agent satisfying to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and

+

Require an independent agent satisfying to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation; and

 @@ -61921,11 +58809,11 @@ -

an independent agent is required to satisfy to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;

+

an independent agent is required to satisfy to verify the correct implementation of the developer security assessment plan and the evidence produced during testing and evaluation;

 -

an independent agent is required to satisfy to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;

+

an independent agent is required to satisfy to verify the correct implementation of the developer privacy assessment plan and the evidence produced during testing and evaluation;

 @@ -61979,37 +58867,33 @@ - -

specific code requiring manual code review is defined;

- + +

specific code requiring manual code review is defined;

+ - -

processes, procedures, and/or techniques used for manual code reviews are defined;

- + +

processes, procedures, and/or techniques used for manual code reviews are defined;

+ - - + + -

Require the developer of the system, system component, or system service to perform a manual code review of using the following processes, procedures, and/or techniques: .

+

Require the developer of the system, system component, or system service to perform a manual code review of using the following processes, procedures, and/or techniques: .

Manual code reviews are usually reserved for the critical software and firmware components of systems. Manual code reviews are effective at identifying weaknesses that require knowledge of the application’s requirements or context that, in most cases, is unavailable to automated analytic tools and techniques, such as static and dynamic analysis. The benefits of manual code review include the ability to verify access control matrices against application controls and review detailed aspects of cryptographic implementations and controls.

 -

the developer of the system, system component, or system service is required to perform a manual code review of using .

+

the developer of the system, system component, or system service is required to perform a manual code review of using .

 @@ -62053,45 +58937,37 @@ Penetration Testing - - + + - -

the breadth of penetration testing is defined;

- + +

the breadth of penetration testing is defined;

+ - -

the depth of penetration testing is defined;

- + +

the depth of penetration testing is defined;

+ - -

constraints of penetration testing are defined;

- + +

constraints of penetration testing are defined;

+ - - + + @@ -62104,11 +58980,11 @@

Require the developer of the system, system component, or system service to perform penetration testing:

-

At the following level of rigor: ; and

+

At the following level of rigor: ; and

 -

Under the following constraints: .

+

Under the following constraints: .

 @@ -62120,16 +58996,16 @@ -

the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: ;

+

the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: ;

 -

the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: ;

+

the developer of the system, system component, or system service is required to perform penetration testing at the following level of rigor: ;

 -

the developer of the system, system component, or system service is required to perform penetration testing under .

+

the developer of the system, system component, or system service is required to perform penetration testing under .

 @@ -62176,12 +59052,8 @@ - - + + @@ -62234,41 +59106,33 @@ Verify Scope of Testing and Evaluation - - + + - -

the breadth of testing and evaluation of required controls is defined;

- + +

the breadth of testing and evaluation of required controls is defined;

+ - -

the depth of testing and evaluation of required controls is defined;

- + +

the depth of testing and evaluation of required controls is defined;

+ - - + + -

Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: .

+

Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level of rigor: .

Verifying that testing and evaluation provides complete coverage of required controls can be accomplished by a variety of analytic techniques ranging from informal to formal. Each of these techniques provides an increasing level of assurance that corresponds to the degree of formality of the analysis. Rigorously demonstrating control coverage at the highest levels of assurance can be achieved using formal modeling and analysis techniques, including correlation between control implementation and corresponding test cases.

@@ -62277,11 +59141,11 @@ -

the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at ;

+

the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at ;

 -

the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at .

+

the developer of the system, system component, or system service is required to verify that the scope of testing and evaluation provides complete coverage of the required controls at .

 @@ -62325,12 +59189,8 @@ - - + +

Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.

@@ -62392,12 +59252,8 @@ - - + +

Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.

@@ -62612,45 +59468,37 @@ Development Process, Standards, and Tools - - + + - -

frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;

- + +

frequency at which to review the development process, standards, tools, tool options, and tool configurations is defined;

+ - -

security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

- + +

security requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

+ - -

privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

- + +

privacy requirements to be satisfied by the process, standards, tools, tool options, and tool configurations are defined;

+ - - + + @@ -62687,7 +59535,7 @@ -

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

+

Review the development process, standards, tools, tool options, and tool configurations to determine if the process, standards, tools, tool options and tool configurations selected and employed can satisfy the following security and privacy requirements: .

 @@ -62739,11 +59587,11 @@ -

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy ;

+

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy ;

 -

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy .

+

the developer of the system, system component, or system service is required to follow a documented development process in which the development process, standards, tools, tool options, and tool configurations are reviewed to determine that the process, standards, tools, tool options, and tool configurations selected and employed satisfy .

 @@ -62789,12 +59637,8 @@ @@ -62802,28 +59646,24 @@ - -

frequency at which to provide evidence of meeting the quality metrics is defined (if selected);

- + +

frequency at which to provide evidence of meeting the quality metrics is defined (if selected);

+ - -

program review milestones are defined (if selected);

- + +

program review milestones are defined (if selected);

+ - - + +

Require the developer of the system, system component, or system service to:

@@ -62833,7 +59673,7 @@ -

Provide evidence of meeting the quality metrics .

+

Provide evidence of meeting the quality metrics .

 @@ -62847,7 +59687,7 @@ -

the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics .

+

the developer of the system, system component, or system service is required to provide evidence of meeting the quality metrics .

 @@ -62882,12 +59722,8 @@ - - + + @@ -62942,59 +59778,49 @@ Criticality Analysis - - + + - + - -

decision points in the system development life cycle are defined;

- + +

decision points in the system development life cycle are defined;

+ - -

the breadth of criticality analysis is defined;

- + +

the breadth of criticality analysis is defined;

+ - -

the depth of criticality analysis is defined;

- + +

the depth of criticality analysis is defined;

+ - - + +

Require the developer of the system, system component, or system service to perform a criticality analysis:

-

At the following decision points in the system development life cycle: ; and

+

At the following decision points in the system development life cycle: ; and

 -

At the following level of rigor: .

+

At the following level of rigor: .

 @@ -63004,17 +59830,17 @@ -

the developer of the system, system component, or system service is required to perform a criticality analysis at in the system development life cycle;

+

the developer of the system, system component, or system service is required to perform a criticality analysis at in the system development life cycle;

 -

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: ;

+

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: ;

 -

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: .

+

the developer of the system, system component, or system service is required to perform a criticality analysis at the following rigor level: .

 @@ -63071,33 +59897,29 @@ - -

thresholds to which attack surfaces are to be reduced are defined;

- + +

thresholds to which attack surfaces are to be reduced are defined;

+ - - + + -

Require the developer of the system, system component, or system service to reduce attack surfaces to .

+

Require the developer of the system, system component, or system service to reduce attack surfaces to .

Attack surface reduction is closely aligned with threat and vulnerability analyses and system architecture and design. Attack surface reduction is a means of reducing risk to organizations by giving attackers less opportunity to exploit weaknesses or deficiencies (i.e., potential vulnerabilities) within systems, system components, and system services. Attack surface reduction includes implementing the concept of layered defenses, applying the principles of least privilege and least functionality, applying secure software development practices, deprecating unsafe functions, reducing entry points available to unauthorized users, reducing the amount of code that executes, and eliminating application programming interfaces (APIs) that are vulnerable to attacks.

 -

the developer of the system, system component, or system service is required to reduce attack surfaces to .

+

the developer of the system, system component, or system service is required to reduce attack surfaces to .

 @@ -63141,12 +59963,8 @@ - - + +

Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.

@@ -63196,43 +60014,39 @@ - -

frequency at which to conduct vulnerability analysis is defined;

- + +

frequency at which to conduct vulnerability analysis is defined;

+ - -

tools used to perform automated vulnerability analysis are defined;

- + +

tools used to perform automated vulnerability analysis are defined;

+ - -

personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is/are defined;

- + +

personnel or roles to whom the outputs of tools and results of the analysis are to be delivered is/are defined;

+ - - + + -

Require the developer of the system, system component, or system service to:

+

Require the developer of the system, system component, or system service to:

-

Perform an automated vulnerability analysis using ;

+

Perform an automated vulnerability analysis using ;

 @@ -63244,7 +60058,7 @@ -

Deliver the outputs of the tools and results of the analysis to .

+

Deliver the outputs of the tools and results of the analysis to .

 @@ -63254,19 +60068,19 @@ -

the developer of the system, system component, or system service is required to perform automated vulnerability analysis using ;

+

the developer of the system, system component, or system service is required to perform automated vulnerability analysis using ;

 -

the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities ;

+

the developer of the system, system component, or system service is required to determine the exploitation potential for discovered vulnerabilities ;

 -

the developer of the system, system component, or system service is required to determine potential risk mitigations for delivered vulnerabilities;

+

the developer of the system, system component, or system service is required to determine potential risk mitigations for delivered vulnerabilities;

 -

the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis to .

+

the developer of the system, system component, or system service is required to deliver the outputs of the tools and results of the analysis to .

 @@ -63312,12 +60126,8 @@ - - + +

Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current development process.

@@ -63376,12 +60186,8 @@ - - + + @@ -63441,12 +60247,8 @@ - - + + @@ -63491,12 +60293,8 @@ - - + + @@ -63555,33 +60353,29 @@ - -

training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined;

- + +

training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms provided by the developer of the system, system component, or system service is defined;

+ - - + + -

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: .

+

Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms: .

Developer-provided training applies to external and internal (in-house) developers. Training personnel is essential to ensuring the effectiveness of the controls implemented within organizational systems. Types of training include web-based and computer-based training, classroom-style training, and hands-on training (including micro-training). Organizations can also request training materials from developers to conduct in-house training or offer self-training to organizational personnel. Organizations determine the type of training necessary and may require different types of training for different security and privacy functions, controls, and mechanisms.

 -

the developer of the system, system component, or system service is required to provide on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.

+

the developer of the system, system component, or system service is required to provide on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.

 @@ -63620,12 +60414,8 @@ - - + + @@ -63652,7 +60442,7 @@ -

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3 , and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

+

Developer security and privacy architecture and design are directed at external developers, although they could also be applied to internal (in-house) development. In contrast, PL-8 is directed at internal developers to ensure that organizations develop a security and privacy architecture that is integrated with the enterprise architecture. The distinction between SA-17 and PL-8 is especially important when organizations outsource the development of systems, system components, or system services and when there is a requirement to demonstrate consistency with the enterprise architecture and security and privacy architecture of the organization. ISO 15408-2, ISO 15408-3 , and SP 800-160-1 provide information on security architecture and design, including formal policy models, security-relevant components, formal and informal correspondence, conceptually simple design, and structuring for least privilege and testing.

 @@ -63722,37 +60512,29 @@ Formal Policy Model - - + + - -

organizational security policy to be enforced is defined;

- + +

organizational security policy to be enforced is defined;

+ - -

organizational privacy policy to be enforced is defined;

- + +

organizational privacy policy to be enforced is defined;

+ - - + + @@ -63761,7 +60543,7 @@

Require the developer of the system, system component, or system service to:

-

Produce, as an integral part of the development process, a formal policy model describing the to be enforced; and

+

Produce, as an integral part of the development process, a formal policy model describing the to be enforced; and

 @@ -63777,11 +60559,11 @@ -

as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the to be enforced;

+

as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the to be enforced;

 -

as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the to be enforced;

+

as an integral part of the development process, the developer of the system, system component, or system service is required to produce a formal policy model describing the to be enforced;

 @@ -63831,12 +60613,8 @@ - - + + @@ -63909,12 +60687,8 @@ - - + + @@ -64025,12 +60799,8 @@ - - + + @@ -64045,7 +60815,7 @@ -

Show via that the descriptive top-level specification is consistent with the formal policy model;

+

Show via that the descriptive top-level specification is consistent with the formal policy model;

 @@ -64082,7 +60852,7 @@ -

the developer of the system, system component, or system service is required to show via that the descriptive top-level specification is consistent with the formal policy model;

+

the developer of the system, system component, or system service is required to show via that the descriptive top-level specification is consistent with the formal policy model;

 @@ -64134,12 +60904,8 @@ - - + + @@ -64156,7 +60922,7 @@ -

The principle of reduced complexity states that the system design is as simple and small as possible (see SA-8(7) ). A small and simple design is easier to understand and analyze and is also less prone to error (see AC-25, SA-8(13) ). The principle of reduced complexity applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions and facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain. That is, simpler systems contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier to understand whether the security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex.

+

The principle of reduced complexity states that the system design is as simple and small as possible (see SA-8(7) ). A small and simple design is easier to understand and analyze and is also less prone to error (see AC-25, SA-8(13) ). The principle of reduced complexity applies to any aspect of a system, but it has particular importance for security due to the various analyses performed to obtain evidence about the emergent security property of the system. For such analyses to be successful, a small and simple design is essential. Application of the principle of reduced complexity contributes to the ability of system developers to understand the correctness and completeness of system security functions and facilitates the identification of potential vulnerabilities. The corollary of reduced complexity states that the simplicity of the system is directly related to the number of vulnerabilities it will contain. That is, simpler systems contain fewer vulnerabilities. An important benefit of reduced complexity is that it is easier to understand whether the security policy has been captured in the system design and that fewer vulnerabilities are likely to be introduced during engineering development. An additional benefit is that any such conclusion about correctness, completeness, and existence of vulnerabilities can be reached with a higher degree of assurance in contrast to conclusions reached in situations where the system design is inherently more complex.

 @@ -64204,12 +60970,8 @@ - - + + @@ -64217,7 +60979,7 @@

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.

 -

Applying the security design principles in SP 800-160-1 promotes complete, consistent, and comprehensive testing and evaluation of systems, system components, and services. The thoroughness of such testing contributes to the evidence produced to generate an effective assurance case or argument as to the trustworthiness of the system, system component, or service.

+

Applying the security design principles in SP 800-160-1 promotes complete, consistent, and comprehensive testing and evaluation of systems, system components, and services. The thoroughness of such testing contributes to the evidence produced to generate an effective assurance case or argument as to the trustworthiness of the system, system component, or service.

 @@ -64260,12 +61022,8 @@ - - + + @@ -64274,7 +61032,7 @@

Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.

 -

The principle of least privilege states that each component is allocated sufficient privileges to accomplish its specified functions but no more (see SA-8(14) ). Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects. First, the security impact of a failure, corruption, or misuse of the system component results in a minimized security impact. Second, the security analysis of the component is simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has a need to view the audit data that has been collected but no need to perform operations on that data.

+

The principle of least privilege states that each component is allocated sufficient privileges to accomplish its specified functions but no more (see SA-8(14) ). Applying the principle of least privilege limits the scope of the component’s actions, which has two desirable effects. First, the security impact of a failure, corruption, or misuse of the system component results in a minimized security impact. Second, the security analysis of the component is simplified. Least privilege is a pervasive principle that is reflected in all aspects of the secure system design. Interfaces used to invoke component capability are available to only certain subsets of the user population, and component design supports a sufficiently fine granularity of privilege decomposition. For example, in the case of an audit mechanism, there may be an interface for the audit manager, who configures the audit settings; an interface for the audit operator, who ensures that audit data is safely collected and stored; and, finally, yet another interface for the audit reviewer, who only has a need to view the audit data that has been collected but no need to perform operations on that data.

In addition to its manifestations at the system interface, least privilege can be used as a guiding principle for the internal structure of the system itself. One aspect of internal least privilege is to construct modules so that only the elements encapsulated by the module are directly operated upon by the functions within the module. Elements external to a module that may be affected by the module’s operation are indirectly accessed through interaction (e.g., via a function call) with the module that contains those elements. Another aspect of internal least privilege is that the scope of a given module or component includes only those system elements that are necessary for its functionality, and the access modes to the elements (e.g., read, write) are minimal.

 @@ -64315,46 +61073,37 @@ Orchestration - + - -

critical systems or system components are defined;

- + +

critical systems or system components are defined;

+ - + - -

capabilities to be implemented by systems or components are defined;

- + +

capabilities to be implemented by systems or components are defined;

+ - - + + -

Design with coordinated behavior to implement the following capabilities: .

+

Design with coordinated behavior to implement the following capabilities: .

Security resources that are distributed, located at different layers or in different system elements, or are implemented to support different aspects of trustworthiness can interact in unforeseen or incorrect ways. Adverse consequences can include cascading failures, interference, or coverage gaps. Coordination of the behavior of security resources (e.g., by ensuring that one patch is installed across all resources before making a configuration change that assumes that the patch is propagated) can avert such negative interactions.

 -

- are designed with coordinated behavior to implement .

+

are designed with coordinated behavior to implement .

 @@ -64392,34 +61141,28 @@ Design Diversity - + - -

critical systems or system components to be designed differently are defined;

- + +

critical systems or system components to be designed differently are defined;

+ - - + + -

Use different designs for to satisfy a common set of requirements or to provide equivalent functionality.

+

Use different designs for to satisfy a common set of requirements or to provide equivalent functionality.

Design diversity is achieved by supplying the same requirements specification to multiple developers, each of whom is responsible for developing a variant of the system or system component that meets the requirements. Variants can be in software design, in hardware design, or in both hardware and a software design. Differences in the designs of the variants can result from developer experience (e.g., prior use of a design pattern), design style (e.g., when decomposing a required function into smaller tasks, determining what constitutes a separate task and how far to decompose tasks into sub-tasks), selection of libraries to incorporate into the variant, and the development environment (e.g., different design tools make some design patterns easier to visualize). Hardware design diversity includes making different decisions about what information to keep in analog form and what information to convert to digital form, transmitting the same information at different times, and introducing delays in sampling (temporal diversity). Design diversity is commonly used to support fault tolerance.

 -

different designs are used for to satisfy a common set of requirements or to provide equivalent functionality.

+

different designs are used for to satisfy a common set of requirements or to provide equivalent functionality.

 @@ -64519,38 +61262,31 @@ Customized Development of Critical Components - + - -

critical system components to be reimplemented or custom-developed are defined;

- + +

critical system components to be reimplemented or custom-developed are defined;

+ - - + + -

Reimplement or custom develop the following critical system components: .

+

Reimplement or custom develop the following critical system components: .

Organizations determine that certain system components likely cannot be trusted due to specific threats to and vulnerabilities in those components for which there are no viable security controls to adequately mitigate risk. Reimplementation or custom development of such components may satisfy requirements for higher assurance and is carried out by initiating changes to system components (including hardware, software, and firmware) such that the standard attacks by adversaries are less likely to succeed. In situations where no alternative sourcing is available and organizations choose not to reimplement or custom develop critical system components, additional controls can be employed. Controls include enhanced auditing, restrictions on source code and system utility access, and protection from deletion of system and application files.

 -

- are reimplemented or custom-developed.

+

are reimplemented or custom-developed.

 @@ -64590,40 +61326,34 @@ Developer Screening - + - -

the system, systems component, or system service that the developer has access to is/are defined;

- + +

the system, systems component, or system service that the developer has access to is/are defined;

+ - -

official government duties assigned to the developer are defined;

- + +

official government duties assigned to the developer are defined;

+ - -

additional personnel screening criteria for the developer are defined;

- + +

additional personnel screening criteria for the developer are defined;

+ - - + + @@ -64631,28 +61361,28 @@ -

Require that the developer of :

+

Require that the developer of :

-

Has appropriate access authorizations as determined by assigned ; and

+

Has appropriate access authorizations as determined by assigned ; and

 -

Satisfies the following additional personnel screening criteria: .

+

Satisfies the following additional personnel screening criteria: .

 -

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3 . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

+

Developer screening is directed at external developers. Internal developer screening is addressed by PS-3 . Because the system, system component, or system service may be used in critical activities essential to the national or economic security interests of the United States, organizations have a strong interest in ensuring that developers are trustworthy. The degree of trust required of developers may need to be consistent with that of the individuals who access the systems, system components, or system services once deployed. Authorization and personnel screening criteria include clearances, background checks, citizenship, and nationality. Developer trustworthiness may also include a review and analysis of company ownership and relationships that the company has with entities that may potentially affect the quality and reliability of the systems, components, or services being developed. Satisfying the required access authorizations and personnel screening criteria includes providing a list of all individuals who are authorized to perform development activities on the selected system, system component, or system service so that organizations can validate that the developer has satisfied the authorization and screening requirements.

 -

the developer of is required to have appropriate access authorizations as determined by assigned ;

+

the developer of is required to have appropriate access authorizations as determined by assigned ;

 -

the developer of is required to satisfy .

+

the developer of is required to satisfy .

 @@ -64707,28 +61437,22 @@ - -

support from external providers is defined (if selected);

- + +

support from external providers is defined (if selected);

+ - - + + @@ -64738,7 +61462,7 @@ -

Provide the following options for alternative sources for continued support for unsupported components .

+

Provide the following options for alternative sources for continued support for unsupported components .

 @@ -64753,8 +61477,7 @@ -

- provide options for alternative sources for continued support for unsupported components.

+

provide options for alternative sources for continued support for unsupported components.

 @@ -64812,33 +61535,28 @@ - -

systems or system components supporting mission-essential services or functions are defined;

- + +

systems or system components supporting mission-essential services or functions are defined;

+ - - + + -

Employ on supporting mission essential services or functions to increase the trustworthiness in those systems or components.

+

Employ on supporting mission essential services or functions to increase the trustworthiness in those systems or components.

It is often necessary for a system or system component that supports mission-essential services or functions to be enhanced to maximize the trustworthiness of the resource. Sometimes this enhancement is done at the design level. In other instances, it is done post-design, either through modifications of the system in question or by augmenting the system with additional components. For example, supplemental authentication or non-repudiation functions may be added to the system to enhance the identity of critical resources to other resources that depend on the organization-defined resources.

 -

- is employed on supporting essential services or functions to increase the trustworthiness in those systems or components.

+

is employed on supporting essential services or functions to increase the trustworthiness in those systems or components.

 @@ -64877,27 +61595,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the system and communications protection policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the system and communications protection procedures are to be disseminated is/are defined;

+ @@ -64912,51 +61626,47 @@ - -

an official to manage the system and communications protection policy and procedures is defined;

- + +

an official to manage the system and communications protection policy and procedures is defined;

+ - -

the frequency at which the current system and communications protection policy is reviewed and updated is defined;

- + +

the frequency at which the current system and communications protection policy is reviewed and updated is defined;

+ - -

events that would require the current system and communications protection policy to be reviewed and updated are defined;

- + +

events that would require the current system and communications protection policy to be reviewed and updated are defined;

+ - -

the frequency at which the current system and communications protection procedures are reviewed and updated is defined;

- + +

the frequency at which the current system and communications protection procedures are reviewed and updated is defined;

+ - -

events that would require the system and communications protection procedures to be reviewed and updated are defined;

- + +

events that would require the system and communications protection procedures to be reviewed and updated are defined;

+ - - + + @@ -64967,11 +61677,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- system and communications protection policy that:

+

system and communications protection policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -64988,18 +61697,18 @@ -

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and

Review and update the current system and communications protection:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -65016,7 +61725,7 @@ -

the system and communications protection policy is disseminated to ;

+

the system and communications protection policy is disseminated to ;

 @@ -65024,7 +61733,7 @@ -

the system and communications protection procedures are disseminated to ;

+

the system and communications protection procedures are disseminated to ;

 @@ -65032,42 +61741,42 @@ -

the system and communications protection policy addresses purpose;

+

the system and communications protection policy addresses purpose;

 -

the system and communications protection policy addresses scope;

+

the system and communications protection policy addresses scope;

 -

the system and communications protection policy addresses roles;

+

the system and communications protection policy addresses roles;

 -

the system and communications protection policy addresses responsibilities;

+

the system and communications protection policy addresses responsibilities;

 -

the system and communications protection policy addresses management commitment;

+

the system and communications protection policy addresses management commitment;

 -

the system and communications protection policy addresses coordination among organizational entities;

+

the system and communications protection policy addresses coordination among organizational entities;

 -

the system and communications protection policy addresses compliance;

+

the system and communications protection policy addresses compliance;

 -

the system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the system and communications protection policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the system and communications protection policy and procedures;

 @@ -65075,22 +61784,22 @@ -

the current system and communications protection policy is reviewed and updated ;

+

the current system and communications protection policy is reviewed and updated ;

 -

the current system and communications protection policy is reviewed and updated following ;

+

the current system and communications protection policy is reviewed and updated following ;

 -

the current system and communications protection procedures are reviewed and updated ;

+

the current system and communications protection procedures are reviewed and updated ;

 -

the current system and communications protection procedures are reviewed and updated following .

+

the current system and communications protection procedures are reviewed and updated following .

 @@ -65122,12 +61831,8 @@ - - + + @@ -65140,7 +61845,7 @@

Separate user functionality, including user interface services, from system management functionality.

 -

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

+

System management functionality includes functions that are necessary to administer databases, network components, workstations, or servers. These functions typically require privileged user access. The separation of user functions from system management functions is physical or logical. Organizations may separate system management functions from user functions by using different computers, instances of operating systems, central processing units, or network addresses; by employing virtualization techniques; or some combination of these or other methods. Separation of system management functions from user functions includes web administrative interfaces that employ separate authentication methods for users of any other system resources. Separation of system and user functions may include isolating administrative interfaces on different domains and with additional access controls. The separation of system and user functionality can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

 @@ -65180,12 +61885,8 @@ - - + + @@ -65234,12 +61935,8 @@ - - + +

Store state information from applications and software separately.

@@ -65288,12 +61985,8 @@ - - + + @@ -65313,7 +62006,7 @@

Isolate security functions from nonsecurity functions.

 -

Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

+

Security functions are isolated from nonsecurity functions by means of an isolation boundary implemented within a system via partitions and domains. The isolation boundary controls access to and protects the integrity of the hardware, software, and firmware that perform system security functions. Systems implement code separation in many ways, such as through the provision of security kernels via processor rings or processor modes. For non-kernel code, security function isolation is often achieved through file system protections that protect the code on disk and address space protections that protect executing code. Systems can restrict access to security functions using access control mechanisms and by implementing least privilege capabilities. While the ideal is for all code within the defined security function isolation boundary to only contain security-relevant code, it is sometimes necessary to include nonsecurity functions as an exception. The isolation of security functions from nonsecurity functions can be achieved by applying the systems security engineering design principles in SA-8 , including SA-8(1), SA-8(3), SA-8(4), SA-8(10), SA-8(12), SA-8(13), SA-8(14) , and SA-8(18).

 @@ -65354,12 +62047,8 @@ - - + +

Employ hardware separation mechanisms to implement security function isolation.

@@ -65407,12 +62096,8 @@ - - + +

Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.

@@ -65474,15 +62159,9 @@ - - - + + +

Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.

@@ -65528,15 +62207,9 @@ - - - + + +

Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.

@@ -65590,15 +62263,9 @@ - - - + + +

Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.

@@ -65646,9 +62313,7 @@ - + @@ -65712,26 +62377,24 @@ - -

procedures to prevent unauthorized information transfer via shared resources are defined;

- + +

procedures to prevent unauthorized information transfer via shared resources are defined;

+ - + -

Prevent unauthorized information transfer via shared resources in accordance with when system processing explicitly switches between different information classification levels or security categories.

+

Prevent unauthorized information transfer via shared resources in accordance with when system processing explicitly switches between different information classification levels or security categories.

Changes in processing levels can occur during multilevel or periods processing with information at different classification levels or security categories. It can also occur during serial reuse of hardware components at different classification levels. Organization-defined procedures can include approved sanitization processes for electronically stored information.

 -

unauthorized information transfer via shared resources is prevented in accordance with when system processing explicitly switches between different information classification levels or security categories.

+

unauthorized information transfer via shared resources is prevented in accordance with when system processing explicitly switches between different information classification levels or security categories.

 @@ -65770,9 +62433,9 @@ - -

types of denial-of-service events to be protected against or limited are defined;

- + +

types of denial-of-service events to be protected against or limited are defined;

+ @@ -65786,16 +62449,14 @@ - -

controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

- + +

controls to achieve the denial-of-service objective by type of denial-of-service event are defined;

+ - + @@ -65805,12 +62466,11 @@ -

- the effects of the following types of denial-of-service events: ; and

+

the effects of the following types of denial-of-service events: ; and

 -

Employ the following controls to achieve the denial-of-service objective: .

+

Employ the following controls to achieve the denial-of-service objective: .

 @@ -65820,12 +62480,11 @@ -

the effects of are ;

+

the effects of are ;

 -

- are employed to achieve the denial-of-service protection objective.

+

are employed to achieve the denial-of-service protection objective.

 @@ -65866,26 +62525,24 @@ - -

denial-of-service attacks for which to restrict the ability of individuals to launch are defined;

- + +

denial-of-service attacks for which to restrict the ability of individuals to launch are defined;

+ - + -

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: .

+

Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: .

Restricting the ability of individuals to launch denial-of-service attacks requires the mechanisms commonly used for such attacks to be unavailable. Individuals of concern include hostile insiders or external adversaries who have breached or compromised the system and are using it to launch a denial-of-service attack. Organizations can restrict the ability of individuals to connect and transmit arbitrary information on the transport medium (i.e., wired networks, wireless networks, spoofed Internet protocol packets). Organizations can also limit the ability of individuals to use excessive system resources. Protection against individuals having the ability to launch denial-of-service attacks may be implemented on specific systems or boundary devices that prohibit egress to potential target systems.

 -

the ability of individuals to launch against other systems is restricted.

+

the ability of individuals to launch against other systems is restricted.

 @@ -65924,9 +62581,7 @@ - +

Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.

@@ -65975,35 +62630,33 @@ - -

monitoring tools for detecting indicators of denial-of-service attacks are defined;

- + +

monitoring tools for detecting indicators of denial-of-service attacks are defined;

+ - -

system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined;

- + +

system resources to be monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks are defined;

+ - + -

Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: ; and

+

Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: ; and

 -

Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: .

+

Monitor the following system resources to determine if sufficient resources exist to prevent effective denial-of-service attacks: .

 @@ -66013,13 +62666,11 @@ -

- are employed to detect indicators of denial-of-service attacks against or launched from the system;

+

are employed to detect indicators of denial-of-service attacks against or launched from the system;

 -

- are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.

+

are monitored to determine if sufficient resources exist to prevent effective denial-of-service attacks.

 @@ -66060,9 +62711,9 @@ - -

resources to be allocated to protect the availability of resources are defined;

- + +

resources to be allocated to protect the availability of resources are defined;

+ @@ -66070,40 +62721,34 @@ - -

controls to protect the availability of resources are defined (if selected);

- + +

controls to protect the availability of resources are defined (if selected);

+ - - + + -

Protect the availability of resources by allocating by .

+

Protect the availability of resources by allocating by .

Priority protection prevents lower-priority processes from delaying or interfering with the system that services higher-priority processes. Quotas prevent users or processes from obtaining more than predetermined amounts of resources.

 -

the availability of resources is protected by allocating by .

+

the availability of resources is protected by allocating by .

 @@ -66149,9 +62794,7 @@ - + @@ -66190,7 +62833,7 @@ -

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

+

Implement subnetworks for publicly accessible system components that are separated from internal organizational networks; and

 @@ -66198,7 +62841,7 @@ -

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

+

Managed interfaces include gateways, routers, firewalls, guards, network-based malicious code analysis, virtualization systems, or encrypted tunnels implemented within a security architecture. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones or DMZs. Restricting or prohibiting interfaces within organizational systems includes restricting external web traffic to designated web servers within managed interfaces, prohibiting external traffic that appears to be spoofing internal addresses, and prohibiting internal traffic that appears to be spoofing external addresses. SP 800-189 provides additional information on source address validation techniques to prevent ingress and egress of traffic with spoofed addresses. Commercial telecommunications services are provided by network components and consolidated management systems shared by customers. These services may also include third party-provided access lines and other service elements. Such services may represent sources of increased risk despite contract security provisions. Boundary protection may be implemented as a common control for all or part of an organizational network such that the boundary to be protected is greater than a system-specific boundary (i.e., an authorization boundary).

 @@ -66223,7 +62866,7 @@ -

subnetworks for publicly accessible system components are separated from internal organizational networks;

+

subnetworks for publicly accessible system components are separated from internal organizational networks;

 @@ -66284,15 +62927,13 @@ - +

Limit the number of external network connections to the system.

 -

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection DHS TIC initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

+

Limiting the number of external network connections facilitates monitoring of inbound and outbound communications traffic. The Trusted Internet Connection DHS TIC initiative is an example of a federal guideline that requires limits on the number of external network connections. Limiting the number of external network connections to the system is important during transition periods from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols). Such transitions may require implementing the older and newer technologies simultaneously during the transition period and thus increase the number of access points to the system.

 @@ -66338,16 +62979,14 @@ - -

the frequency at which to review exceptions to traffic flow policy is defined;

- + +

the frequency at which to review exceptions to traffic flow policy is defined;

+ - + @@ -66373,7 +63012,7 @@ -

Review exceptions to the traffic flow policy and remove exceptions that are no longer supported by an explicit mission or business need;

+

Review exceptions to the traffic flow policy and remove exceptions that are no longer supported by an explicit mission or business need;

 @@ -66389,7 +63028,7 @@ -

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

+

External telecommunications services can provide data and/or voice communications services. Examples of control plane traffic include Border Gateway Protocol (BGP) routing, Domain Name System (DNS), and management protocols. See SP 800-189 for additional information on the use of the resource public key infrastructure (RPKI) to protect BGP routes and detect unauthorized BGP announcements.

 @@ -66420,7 +63059,7 @@ -

exceptions to the traffic flow policy are reviewed ;

+

exceptions to the traffic flow policy are reviewed ;

 @@ -66486,27 +63125,24 @@ - -

systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected).

- + +

systems for which network communications traffic is denied by default and network communications traffic is allowed by exception are defined (if selected).

+ - + -

Deny network communications traffic by default and allow network communications traffic by exception .

+

Deny network communications traffic by default and allow network communications traffic by exception .

Denying by default and allowing by exception applies to inbound and outbound network communications traffic. A deny-all, permit-by-exception network communications traffic policy ensures that only those system connections that are essential and approved are allowed. Deny by default, allow by exception also applies to a system that is connected to an external system.

@@ -66515,11 +63151,11 @@ -

network communications traffic is denied by default ;

+

network communications traffic is denied by default ;

 -

network communications traffic is allowed by exception .

+

network communications traffic is allowed by exception .

 @@ -66567,26 +63203,24 @@ - -

safeguards to securely provision split tunneling are defined;

- + +

safeguards to securely provision split tunneling are defined;

+ - + -

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

+

Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

Split tunneling is the process of allowing a remote user or device to establish a non-remote connection with a system and simultaneously communicate via some other connection to a resource in an external network. This method of network access enables a user to access remote devices and simultaneously, access uncontrolled networks. Split tunneling might be desirable by remote users to communicate with local system resources, such as printers or file servers. However, split tunneling can facilitate unauthorized external connections, making the system vulnerable to attack and to exfiltration of organizational information. Split tunneling can be prevented by disabling configuration settings that allow such capability in remote devices and by preventing those configuration settings from being configurable by users. Prevention can also be achieved by the detection of split tunneling (or of configuration settings that allow split tunneling) in the remote device, and by prohibiting the connection if the remote device is using split tunneling. A virtual private network (VPN) can be used to securely provision a split tunnel. A securely provisioned VPN includes locking connectivity to exclusive, managed, and named environments, or to a specific set of pre-approved addresses, without user control.

 -

split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

+

split tunneling is prevented for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using .

 @@ -66628,36 +63262,33 @@ - -

internal communications traffic to be routed to external networks is defined;

- + +

internal communications traffic to be routed to external networks is defined;

+ - -

external networks to which internal communications traffic is to be routed are defined;

- + +

external networks to which internal communications traffic is to be routed are defined;

+ - + -

Route to through authenticated proxy servers at managed interfaces.

+

Route to through authenticated proxy servers at managed interfaces.

 -

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for man-in-the-middle attacks (depending on the implementation).

+

External networks are networks outside of organizational control. A proxy server is a server (i.e., system or application) that acts as an intermediary for clients requesting system resources from non-organizational or other organizational servers. System resources that may be requested include files, connections, web pages, or services. Client requests established through a connection to a proxy server are assessed to manage complexity and provide additional protection by limiting direct connectivity. Web content filtering devices are one of the most common proxy servers that provide access to the Internet. Proxy servers can support the logging of Transmission Control Protocol sessions and the blocking of specific Uniform Resource Locators, Internet Protocol addresses, and domain names. Web proxies can be configured with organization-defined lists of authorized and unauthorized websites. Note that proxy servers may inhibit the use of virtual private networks (VPNs) and create the potential for man-in-the-middle attacks (depending on the implementation).

 -

- is routed to through authenticated proxy servers at managed interfaces.

+

is routed to through authenticated proxy servers at managed interfaces.

 @@ -66697,9 +63328,7 @@ - + @@ -66780,16 +63409,14 @@ - -

the frequency for conducting exfiltration tests is defined;

- + +

the frequency for conducting exfiltration tests is defined;

+ - + @@ -66801,7 +63428,7 @@ -

Conduct exfiltration tests .

+

Conduct exfiltration tests .

 @@ -66815,7 +63442,7 @@ -

exfiltration tests are conducted .

+

exfiltration tests are conducted .

 @@ -66854,35 +63481,33 @@ - -

authorized sources of incoming communications to be routed are defined;

- + +

authorized sources of incoming communications to be routed are defined;

+ - -

authorized destinations to which incoming communications from authorized sources may be routed are defined;

- + +

authorized destinations to which incoming communications from authorized sources may be routed are defined;

+ - + -

Only allow incoming communications from to be routed to .

+

Only allow incoming communications from to be routed to .

General source address validation techniques are applied to restrict the use of illegal and unallocated source addresses as well as source addresses that should only be used within the system. The restriction of incoming communications traffic provides determinations that source and destination address pairs represent authorized or allowed communications. Determinations can be based on several factors, including the presence of such address pairs in the lists of authorized or allowed communications, the absence of such address pairs in lists of unauthorized or disallowed pairs, or meeting more general rules for authorized or allowed source and destination pairs. Strong authentication of network addresses is not possible without the use of explicit security protocols, and thus, addresses can often be spoofed. Further, identity-based incoming traffic restriction methods can be employed, including router access control lists and firewall rules.

 -

only incoming communications from are allowed to be routed to .

+

only incoming communications from are allowed to be routed to .

 @@ -66921,35 +63546,32 @@ - -

host-based boundary protection mechanisms to be implemented are defined;

- + +

host-based boundary protection mechanisms to be implemented are defined;

+ - -

system components where host-based boundary protection mechanisms are to be implemented are defined;

- + +

system components where host-based boundary protection mechanisms are to be implemented are defined;

+ - + -

Implement at .

+

Implement at .

Host-based boundary protection mechanisms include host-based firewalls. System components that employ host-based boundary protection mechanisms include servers, workstations, notebook computers, and mobile devices.

 -

- are implemented at .

+

are implemented at .

 @@ -66989,29 +63611,26 @@ - -

information security tools, mechanisms, and support components to be isolated from other internal system components are defined;

- + +

information security tools, mechanisms, and support components to be isolated from other internal system components are defined;

+ - + -

Isolate from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

+

Isolate from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

Physically separate subnetworks with managed interfaces are useful in isolating computer network defenses from critical operational processing networks to prevent adversaries from discovering the analysis and forensics techniques employed by organizations.

 -

- are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

+

are isolated from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.

 @@ -67052,29 +63671,26 @@ - -

managed interfaces to be protected against unauthorized physical connections are defined;

- + +

managed interfaces to be protected against unauthorized physical connections are defined;

+ - + -

Protect against unauthorized physical connections at .

+

Protect against unauthorized physical connections at .

Systems that operate at different security categories or classification levels may share common physical and environmental controls, since the systems may share space within the same facilities. In practice, it is possible that these separate systems may share common equipment rooms, wiring closets, and cable distribution paths. Protection against unauthorized physical connections can be achieved by using clearly identified and physically separated cable trays, connection frames, and patch panels for each side of managed interfaces with physical access controls that enforce limited authorized access to these items.

 -

- are protected against unauthorized physical connections.

+

are protected against unauthorized physical connections.

 @@ -67112,9 +63728,7 @@ - + @@ -67175,9 +63789,7 @@ - +

Prevent the discovery of specific system components that represent a managed interface.

@@ -67227,9 +63839,7 @@ - + @@ -67279,12 +63889,8 @@ - - + + @@ -67337,19 +63943,17 @@ - -

communication clients that are independently configured by end users and external service providers are defined;

- + +

communication clients that are independently configured by end users and external service providers are defined;

+ - + -

Block inbound and outbound communications traffic between that are independently configured by end users and external service providers.

+

Block inbound and outbound communications traffic between that are independently configured by end users and external service providers.

Communication clients independently configured by end users and external service providers include instant messaging clients and video conferencing software and applications. Traffic blocking does not apply to communication clients that are configured by organizations to perform authorized functions.

@@ -67358,11 +63962,11 @@ -

inbound communications traffic is blocked between that are independently configured by end users and external service providers;

+

inbound communications traffic is blocked between that are independently configured by end users and external service providers;

 -

outbound communications traffic is blocked between that are independently configured by end users and external service providers.

+

outbound communications traffic is blocked between that are independently configured by end users and external service providers.

 @@ -67404,26 +64008,24 @@ - -

system components to be dynamically isolated from other system components are defined;

- + +

system components to be dynamically isolated from other system components are defined;

+ - + -

Provide the capability to dynamically isolate from other system components.

+

Provide the capability to dynamically isolate from other system components.

The capability to dynamically isolate certain internal system components is useful when it is necessary to partition or separate system components of questionable origin from components that possess greater trustworthiness. Component isolation reduces the attack surface of organizational systems. Isolating selected system components can also limit the damage from successful attacks when such attacks occur.

 -

the capability to dynamically isolate from other system components is provided.

+

the capability to dynamically isolate from other system components is provided.

 @@ -67465,41 +64067,35 @@ - -

system components to be isolated by boundary protection mechanisms are defined;

- + +

system components to be isolated by boundary protection mechanisms are defined;

+ - -

missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;

- + +

missions and/or business functions to be supported by system components isolated by boundary protection mechanisms are defined;

+ - - - + + + -

Employ boundary protection mechanisms to isolate supporting .

+

Employ boundary protection mechanisms to isolate supporting .

Organizations can isolate system components that perform different mission or business functions. Such isolation limits unauthorized information flows among system components and provides the opportunity to deploy greater levels of protection for selected system components. Isolating system components with boundary protection mechanisms provides the capability for increased protection of individual system components and to more effectively control information flows between those components. Isolating system components provides enhanced protection that limits the potential harm from hostile cyber-attacks and errors. The degree of isolation varies depending upon the mechanisms chosen. Boundary protection mechanisms include routers, gateways, and firewalls that separate system components into physically separate networks or subnetworks; cross-domain devices that separate subnetworks; virtualization techniques; and the encryption of information flows among system components using distinct encryption keys.

 -

boundary protection mechanisms are employed to isolate supporting .

+

boundary protection mechanisms are employed to isolate supporting .

 @@ -67539,12 +64135,8 @@ - - + +

Implement separate network addresses to connect to systems in different security domains.

@@ -67594,9 +64186,7 @@ - +

Disable feedback to senders on protocol format validation failure.

@@ -67647,19 +64237,15 @@ - -

processing rules for systems that process personally identifiable information are defined;

- + +

processing rules for systems that process personally identifiable information are defined;

+ - - + + @@ -67667,7 +64253,7 @@

For systems that process personally identifiable information:

-

Apply the following processing rules to data elements of personally identifiable information: ;

+

Apply the following processing rules to data elements of personally identifiable information: ;

 @@ -67689,8 +64275,7 @@ -

- are applied to data elements of personally identifiable information on systems that process personally identifiable information;

+

are applied to data elements of personally identifiable information on systems that process personally identifiable information;

 @@ -67762,34 +64347,32 @@ - -

the unclassified national security system prohibited from directly connecting to an external network is defined;

- + +

the unclassified national security system prohibited from directly connecting to an external network is defined;

+ - -

the boundary protection device required for a direct connection to an external network is defined;

- + +

the boundary protection device required for a direct connection to an external network is defined;

+ - + -

Prohibit the direct connection of to an external network without the use of .

+

Prohibit the direct connection of to an external network without the use of .

A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified national security systems and external networks.

 -

the direct connection of to an external network without the use of is prohibited.

+

the direct connection of to an external network without the use of is prohibited.

 @@ -67830,26 +64413,24 @@ - -

the boundary protection device required for a direct connection to an external network is defined;

- + +

the boundary protection device required for a direct connection to an external network is defined;

+ - + -

Prohibit the direct connection of a classified national security system to an external network without the use of .

+

Prohibit the direct connection of a classified national security system to an external network without the use of .

A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between classified national security systems and external networks. In addition, approved boundary protection devices (typically managed interface or cross-domain systems) provide information flow enforcement from systems to external networks.

 -

the direct connection of classified national security system to an external network without the use of a is prohibited.

+

the direct connection of classified national security system to an external network without the use of a is prohibited.

 @@ -67888,39 +64469,35 @@ Unclassified Non-national Security System Connections - + - -

the unclassified, non-national security system prohibited from directly connecting to an external network is defined;

- + +

the unclassified, non-national security system prohibited from directly connecting to an external network is defined;

+ - -

the boundary protection device required for a direct connection of unclassified, non-national security system to an external network is defined;

- + +

the boundary protection device required for a direct connection of unclassified, non-national security system to an external network is defined;

+ - + -

Prohibit the direct connection of to an external network without the use of .

+

Prohibit the direct connection of to an external network without the use of .

A direct connection is a dedicated physical or virtual connection between two or more systems. Organizations typically do not have complete control over external networks, including the Internet. Boundary protection devices (e.g., firewalls, gateways, and routers) mediate communications and information flows between unclassified non-national security systems and external networks.

 -

the direct connection of to an external network without the use of a is prohibited.

+

the direct connection of to an external network without the use of a is prohibited.

 @@ -67961,26 +64538,24 @@ - -

the system that is prohibited from directly connecting to a public network is defined;

- + +

the system that is prohibited from directly connecting to a public network is defined;

+ - + -

Prohibit the direct connection of to a public network.

+

Prohibit the direct connection of to a public network.

A direct connection is a dedicated physical or virtual connection between two or more systems. A public network is a network accessible to the public, including the Internet and organizational extranets with public access.

 -

the direct connection of the to a public network is prohibited.

+

the direct connection of the to a public network is prohibited.

 @@ -68029,26 +64604,24 @@ - -

critical system components and functions to be isolated are defined;

- + +

critical system components and functions to be isolated are defined;

+ - + -

Implement separate subnetworks to isolate the following critical system components and functions: .

+

Implement separate subnetworks to isolate the following critical system components and functions: .

Separating critical system components and functions from other noncritical system components and functions through separate subnetworks may be necessary to reduce susceptibility to a catastrophic or debilitating breach or compromise that results in system failure. For example, physically separating the command and control function from the in-flight entertainment function through separate subnetworks in a commercial aircraft provides an increased level of assurance in the trustworthiness of critical system functions.

 -

subnetworks are separated to isolate .

+

subnetworks are separated to isolate .

 @@ -68098,9 +64671,7 @@ - + @@ -68125,7 +64696,7 @@ -

Protect the of transmitted information.

+

Protect the of transmitted information.

Protecting the confidentiality and integrity of transmitted information applies to internal and external networks as well as any system components that can transmit information, including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, facsimile machines, and radios. Unprotected communication paths are exposed to the possibility of interception and modification. Protecting the confidentiality and integrity of information can be accomplished by physical or logical means. Physical protection can be achieved by using protected distribution systems. A protected distribution system is a wireline or fiber-optics telecommunications system that includes terminals and adequate electromagnetic, acoustical, electrical, and physical controls to permit its use for the unencrypted transmission of classified information. Logical protection can be achieved by employing encryption techniques.

@@ -68133,7 +64704,7 @@ -

the of transmitted information is/are protected.

+

the of transmitted information is/are protected.

 @@ -68177,21 +64748,19 @@ - + -

Implement cryptographic mechanisms to during transmission.

+

Implement cryptographic mechanisms to during transmission.

Encryption protects information from unauthorized disclosure and modification during transmission. Cryptographic mechanisms that protect the confidentiality and integrity of information during transmission include TLS and IPSec. Cryptographic mechanisms used to protect information integrity include cryptographic hash functions that have applications in digital signatures, checksums, and message authentication codes.

 -

cryptographic mechanisms are implemented to during transmission.

+

cryptographic mechanisms are implemented to during transmission.

 @@ -68238,12 +64807,10 @@ - + -

Maintain the of information during preparation for transmission and during reception.

+

Maintain the of information during preparation for transmission and during reception.

Information can be unintentionally or maliciously disclosed or modified during preparation for transmission or during reception, including during aggregation, at protocol transformation points, and during packing and unpacking. Such unauthorized disclosures or modifications compromise the confidentiality or integrity of the information.

@@ -68252,11 +64819,11 @@ -

information is/are maintained during preparation for transmission;

+

information is/are maintained during preparation for transmission;

 -

information is/are maintained during reception.

+

information is/are maintained during reception.

 @@ -68295,28 +64862,26 @@ - -

alternative physical controls to protect message externals are defined;

- + +

alternative physical controls to protect message externals are defined;

+ - + -

Implement cryptographic mechanisms to protect message externals unless otherwise protected by .

+

Implement cryptographic mechanisms to protect message externals unless otherwise protected by .

Cryptographic protection for message externals addresses protection from the unauthorized disclosure of information. Message externals include message headers and routing information. Cryptographic protection prevents the exploitation of message externals and applies to internal and external networks or links that may be visible to individuals who are not authorized users. Header and routing information is sometimes transmitted in clear text (i.e., unencrypted) because the information is not identified by organizations as having significant value or because encrypting the information can result in lower network performance or higher costs. Alternative physical controls include protected distribution systems.

 -

cryptographic mechanisms are implemented to protect message externals unless otherwise protected by .

+

cryptographic mechanisms are implemented to protect message externals unless otherwise protected by .

 @@ -68356,28 +64921,26 @@ - -

alternative physical controls to protect against unauthorized disclosure of communication patterns are defined;

- + +

alternative physical controls to protect against unauthorized disclosure of communication patterns are defined;

+ - + -

Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by .

+

Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by .

Concealing or randomizing communication patterns addresses protection from unauthorized disclosure of information. Communication patterns include frequency, periods, predictability, and amount. Changes to communications patterns can reveal information with intelligence value, especially when combined with other available information related to the mission and business functions of the organization. Concealing or randomizing communications prevents the derivation of intelligence based on communications patterns and applies to both internal and external networks or links that may be visible to individuals who are not authorized users. Encrypting the links and transmitting in continuous, fixed, or random patterns prevents the derivation of intelligence from the system communications patterns. Alternative physical controls include protected distribution systems.

 -

cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by .

+

cryptographic mechanisms are implemented to conceal or randomize communication patterns unless otherwise protected by .

 @@ -68417,9 +64980,9 @@ - -

the protected distribution system is defined;

- + +

the protected distribution system is defined;

+ @@ -68432,19 +64995,17 @@ - + -

Implement to during transmission.

+

Implement to during transmission.

The purpose of a protected distribution system is to deter, detect, and/or make difficult physical access to the communication lines that carry national security information.

 -

the is implemented to during transmission.

+

the is implemented to during transmission.

 @@ -68492,27 +65053,25 @@ - -

a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;

- + +

a time period of inactivity after which the system terminates a network connection associated with a communication session is defined;

+ - + -

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

+

Terminate the network connection associated with a communications session at the end of the session or after of inactivity.

Network disconnect applies to internal and external networks. Terminating network connections associated with specific communications sessions includes de-allocating TCP/IP address or port pairs at the operating system level and de-allocating the networking assignments at the application level if multiple application sessions are using a single operating system-level network connection. Periods of inactivity may be established by organizations and include time periods by type of network access or for specific network accesses.

 -

the network connection associated with a communication session is terminated at the end of the session or after of inactivity.

+

the network connection associated with a communication session is terminated at the end of the session or after of inactivity.

 @@ -68559,19 +65118,15 @@ - -

security functions of the system are defined;

- + +

security functions of the system are defined;

+ - - + + @@ -68580,11 +65135,11 @@ -

Provide a isolated trusted communications path for communications between the user and the trusted components of the system; and

+

Provide a isolated trusted communications path for communications between the user and the trusted components of the system; and

 -

Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: .

+

Permit users to invoke the trusted communications path for communications between the user and the following security functions of the system, including at a minimum, authentication and re-authentication: .

 @@ -68594,11 +65149,11 @@ -

a isolated trusted communication path is provided for communications between the user and the trusted components of the system;

+

a isolated trusted communication path is provided for communications between the user and the trusted components of the system;

 -

users are permitted to invoke the trusted communication path for communications between the user and the of the system, including authentication and re-authentication, at a minimum.

+

users are permitted to invoke the trusted communication path for communications between the user and the of the system, including authentication and re-authentication, at a minimum.

 @@ -68638,19 +65193,15 @@ - -

security functions of the system are defined;

- + +

security functions of the system are defined;

+ - - + + @@ -68659,7 +65210,7 @@ -

Initiate the trusted communications path for communications between the of the system and the user.

+

Initiate the trusted communications path for communications between the of the system and the user.

 @@ -68673,7 +65224,7 @@ -

the trusted communication path for communications between the of the system and the user is initiated.

+

the trusted communication path for communications between the of the system and the user is initiated.

 @@ -68713,24 +65264,18 @@ Cryptographic Key Establishment and Management - + - -

requirements for key generation, distribution, storage, access, and destruction are defined;

- + +

requirements for key generation, distribution, storage, access, and destruction are defined;

+ - - + + @@ -68761,20 +65306,20 @@ -

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

+

Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: .

 -

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

+

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and specify appropriate options, parameters, and levels. Organizations manage trust stores to ensure that only approved trust anchors are part of such trust stores. This includes certificates with visibility external to organizational systems and certificates related to the internal operations of systems. NIST CMVP and NIST CAVP provide additional information on validated cryptographic modules and algorithms that can be used in cryptographic key management and establishment.

 -

cryptographic keys are established when cryptography is employed within the system in accordance with ;

+

cryptographic keys are established when cryptography is employed within the system in accordance with ;

 -

cryptographic keys are managed when cryptography is employed within the system in accordance with .

+

cryptographic keys are managed when cryptography is employed within the system in accordance with .

 @@ -68812,12 +65357,8 @@ - - + +

Maintain availability of information in the event of the loss of cryptographic keys by users.

@@ -68872,33 +65413,28 @@ - - + + -

Produce, control, and distribute symmetric cryptographic keys using key management technology and processes.

+

Produce, control, and distribute symmetric cryptographic keys using key management technology and processes.

 -

- SP 800-56A, SP 800-56B , and SP 800-56C provide guidance on cryptographic key establishment schemes and key derivation methods. SP 800-57-1, SP 800-57-2 , and SP 800-57-3 provide guidance on cryptographic key management.

+

SP 800-56A, SP 800-56B , and SP 800-56C provide guidance on cryptographic key establishment schemes and key derivation methods. SP 800-57-1, SP 800-57-2 , and SP 800-57-3 provide guidance on cryptographic key management.

 -

symmetric cryptographic keys are produced using key management technology and processes;

+

symmetric cryptographic keys are produced using key management technology and processes;

 -

symmetric cryptographic keys are controlled using key management technology and processes;

+

symmetric cryptographic keys are controlled using key management technology and processes;

 -

symmetric cryptographic keys are distributed using key management technology and processes.

+

symmetric cryptographic keys are distributed using key management technology and processes.

 @@ -68950,33 +65486,28 @@ - - + + -

Produce, control, and distribute asymmetric cryptographic keys using .

+

Produce, control, and distribute asymmetric cryptographic keys using .

 -

- SP 800-56A, SP 800-56B , and SP 800-56C provide guidance on cryptographic key establishment schemes and key derivation methods. SP 800-57-1, SP 800-57-2 , and SP 800-57-3 provide guidance on cryptographic key management.

+

SP 800-56A, SP 800-56B , and SP 800-56C provide guidance on cryptographic key establishment schemes and key derivation methods. SP 800-57-1, SP 800-57-2 , and SP 800-57-3 provide guidance on cryptographic key management.

 -

asymmetric cryptographic keys are produced using ;

+

asymmetric cryptographic keys are produced using ;

 -

asymmetric cryptographic keys are controlled using ;

+

asymmetric cryptographic keys are controlled using ;

 -

asymmetric cryptographic keys are distributed using .

+

asymmetric cryptographic keys are distributed using .

 @@ -69034,12 +65565,8 @@ - - + +

Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.

@@ -69088,27 +65615,23 @@ - -

cryptographic uses are defined;

- + +

cryptographic uses are defined;

+ - + - -

types of cryptography for each specified cryptographic use are defined;

- + +

types of cryptography for each specified cryptographic use are defined;

+ - + @@ -69141,11 +65664,11 @@ -

Determine the ; and

+

Determine the ; and

 -

Implement the following types of cryptography required for each specified cryptographic use: .

+

Implement the following types of cryptography required for each specified cryptographic use: .

 @@ -69155,13 +65678,11 @@ -

- are identified;

+

are identified;

 -

- for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.

+

for each specified cryptographic use (defined in SC-13_ODP[01]) are implemented.

 @@ -69251,22 +65772,20 @@ - -

exceptions where remote activation is to be allowed are defined;

- + +

exceptions where remote activation is to be allowed are defined;

+ - + -

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

+

Prohibit remote activation of collaborative computing devices and applications with the following exceptions: ; and

 @@ -69280,7 +65799,7 @@ -

remote activation of collaborative computing devices and applications is prohibited except ;

+

remote activation of collaborative computing devices and applications is prohibited except ;

 @@ -69332,19 +65851,17 @@ - + -

Provide disconnect of collaborative computing devices in a manner that supports ease of use.

+

Provide disconnect of collaborative computing devices in a manner that supports ease of use.

Failing to disconnect from collaborative computing devices can result in subsequent compromises of organizational information. Providing easy methods to disconnect from such devices after a collaborative computing session ensures that participants carry out the disconnect activity without having to go through complex and tedious procedures. Disconnect from collaborative computing devices can be manual or automatic.

 -

the disconnect of collaborative computing devices is/are provided in a manner that supports ease of use.

+

the disconnect of collaborative computing devices is/are provided in a manner that supports ease of use.

 @@ -69392,34 +65909,32 @@ - -

systems or system components from which collaborative computing devices are to be disabled or removed are defined;

- + +

systems or system components from which collaborative computing devices are to be disabled or removed are defined;

+ - -

secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined;

- + +

secure work areas where collaborative computing devices are to be disabled or removed from systems or system components are defined;

+ - + -

Disable or remove collaborative computing devices and applications from in .

+

Disable or remove collaborative computing devices and applications from in .

Failing to disable or remove collaborative computing devices and applications from systems or system components can result in compromises of information, including eavesdropping on conversations. A Sensitive Compartmented Information Facility (SCIF) is an example of a secure work area.

 -

collaborative computing devices and applications are disabled or removed from in .

+

collaborative computing devices and applications are disabled or removed from in .

 @@ -69460,26 +65975,24 @@ - -

online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined;

- + +

online meetings and teleconferences for which an explicit indication of current participants is to be provided are defined;

+ - + -

Provide an explicit indication of current participants in .

+

Provide an explicit indication of current participants in .

Explicitly indicating current participants prevents unauthorized individuals from participating in collaborative computing sessions without the explicit knowledge of other participants.

 -

an explicit indication of current participants in is provided.

+

an explicit indication of current participants in is provided.

 @@ -69517,40 +66030,34 @@ Transmission of Security and Privacy Attributes - - + + - -

security attributes to be associated with information exchanged are defined;

- + +

security attributes to be associated with information exchanged are defined;

+ - -

privacy attributes to be associated with information exchanged are defined;

- + +

privacy attributes to be associated with information exchanged are defined;

+ - + -

Associate with information exchanged between systems and between system components.

+

Associate with information exchanged between systems and between system components.

Security and privacy attributes can be explicitly or implicitly associated with the information contained in organizational systems or system components. Attributes are abstractions that represent the basic properties or characteristics of an entity with respect to protecting information or the management of personally identifiable information. Attributes are typically associated with internal data structures, including records, buffers, and files within the system. Security and privacy attributes are used to implement access control and information flow control policies; reflect special dissemination, management, or distribution instructions, including permitted uses of personally identifiable information; or support other aspects of the information security and privacy policies. Privacy attributes may be used independently or in conjunction with security attributes.

@@ -69559,23 +66066,19 @@ -

- are associated with information exchanged between systems;

+

are associated with information exchanged between systems;

 -

- are associated with information exchanged between system components;

+

are associated with information exchanged between system components;

 -

- are associated with information exchanged between systems;

+

are associated with information exchanged between systems;

 -

- are associated with information exchanged between system components.

+

are associated with information exchanged between system components.

 @@ -69614,9 +66117,7 @@ - + @@ -69673,9 +66174,7 @@ - + @@ -69726,30 +66225,27 @@ - -

mechanisms or techniques to bind security and privacy attributes to transmitted information are defined;

- + +

mechanisms or techniques to bind security and privacy attributes to transmitted information are defined;

+ - + -

Implement to bind security and privacy attributes to transmitted information.

+

Implement to bind security and privacy attributes to transmitted information.

Cryptographic mechanisms and techniques can provide strong security and privacy attribute binding to transmitted information to help ensure the integrity of such information.

 -

- are implemented to bind security and privacy attributes to transmitted information.

+

are implemented to bind security and privacy attributes to transmitted information.

 @@ -69788,19 +66284,15 @@ - -

a certificate policy for issuing public key certificates is defined;

- + +

a certificate policy for issuing public key certificates is defined;

+ - - + + @@ -69812,7 +66304,7 @@ -

Issue public key certificates under an or obtain public key certificates from an approved service provider; and

+

Issue public key certificates under an or obtain public key certificates from an approved service provider; and

 @@ -69826,7 +66318,7 @@ -

public key certificates are issued under , or public key certificates are obtained from an approved service provider;

+

public key certificates are issued under , or public key certificates are obtained from an approved service provider;

 @@ -69868,9 +66360,7 @@ - + @@ -69967,27 +66457,25 @@ - -

unacceptable mobile code to be identified is defined;

- + +

unacceptable mobile code to be identified is defined;

+ - -

corrective actions to be taken when unacceptable mobile code is identified are defined;

- + +

corrective actions to be taken when unacceptable mobile code is identified are defined;

+ - + -

Identify and take .

+

Identify and take .

Corrective actions when unacceptable mobile code is detected include blocking, quarantine, or alerting administrators. Blocking includes preventing the transmission of word processing files with embedded macros when such macros have been determined to be unacceptable mobile code.

@@ -69996,13 +66484,11 @@ -

- is identified;

+

is identified;

 -

- are taken if unacceptable mobile code is identified.

+

are taken if unacceptable mobile code is identified.

 @@ -70047,19 +66533,17 @@ - -

mobile code requirements for the acquisition, development, and use of mobile code to be deployed in the system are defined;

- + +

mobile code requirements for the acquisition, development, and use of mobile code to be deployed in the system are defined;

+ - + -

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets .

+

Verify that the acquisition, development, and use of mobile code to be deployed in the system meets .

None.

@@ -70068,15 +66552,15 @@ -

the acquisition of mobile code to be deployed in the system meets ;

+

the acquisition of mobile code to be deployed in the system meets ;

 -

the development of mobile code to be deployed in the system meets ;

+

the development of mobile code to be deployed in the system meets ;

 -

the use of mobile code to be deployed in the system meets .

+

the use of mobile code to be deployed in the system meets .

 @@ -70119,19 +66603,17 @@ - -

unacceptable mobile code to be prevented from downloading and executing is defined;

- + +

unacceptable mobile code to be prevented from downloading and executing is defined;

+ - + -

Prevent the download and execution of .

+

Prevent the download and execution of .

None.

@@ -70140,11 +66622,11 @@ -

the download of is prevented;

+

the download of is prevented;

 -

the execution of is prevented.

+

the execution of is prevented.

 @@ -70186,27 +66668,25 @@ - -

software applications in which the automatic execution of mobile code is to be prevented are defined;

- + +

software applications in which the automatic execution of mobile code is to be prevented are defined;

+ - -

actions to be enforced by the system prior to executing mobile code are defined;

- + +

actions to be enforced by the system prior to executing mobile code are defined;

+ - + -

Prevent the automatic execution of mobile code in and enforce prior to executing the code.

+

Prevent the automatic execution of mobile code in and enforce prior to executing the code.

Actions enforced before executing mobile code include prompting users prior to opening email attachments or clicking on web links. Preventing the automatic execution of mobile code includes disabling auto-execute features on system components that employ portable storage devices, such as compact discs, digital versatile discs, and universal serial bus devices.

@@ -70215,12 +66695,11 @@ -

the automatic execution of mobile code in is prevented;

+

the automatic execution of mobile code in is prevented;

 -

- are enforced prior to executing mobile code.

+

are enforced prior to executing mobile code.

 @@ -70263,9 +66742,7 @@ - + @@ -70329,9 +66806,7 @@ - + @@ -70420,9 +66895,7 @@ - +

Provide data origin and integrity protection artifacts for internal name/address resolution queries.

@@ -70477,9 +66950,7 @@ - + @@ -70551,9 +67022,7 @@ - + @@ -70617,9 +67086,7 @@ - + @@ -70632,7 +67099,7 @@

Protect the authenticity of communications sessions.

 -

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

+

Protecting session authenticity addresses communications protection at the session level, not at the packet level. Such protection establishes grounds for confidence at both ends of communications sessions in the ongoing identities of other parties and the validity of transmitted information. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into sessions.

 @@ -70671,9 +67138,7 @@ - +

Invalidate session identifiers upon user logout or other session termination.

@@ -70728,22 +67193,20 @@ - -

randomness requirements for generating a unique session identifier for each session are defined;

- + +

randomness requirements for generating a unique session identifier for each session are defined;

+ - + -

Generate a unique session identifier for each session with and recognize only session identifiers that are system-generated.

+

Generate a unique session identifier for each session with and recognize only session identifiers that are system-generated.

Generating unique session identifiers curtails the ability of adversaries to reuse previously valid session IDs. Employing the concept of randomness in the generation of unique session identifiers protects against brute-force attacks to determine future session identifiers.

@@ -70752,7 +67215,7 @@ -

a unique session identifier is generated for each session with ;

+

a unique session identifier is generated for each session with ;

 @@ -70804,28 +67267,26 @@ - -

certificate authorities to be allowed for verification of the establishment of protected sessions are defined;

- + +

certificate authorities to be allowed for verification of the establishment of protected sessions are defined;

+ - + -

Only allow the use of for verification of the establishment of protected sessions.

+

Only allow the use of for verification of the establishment of protected sessions.

Reliance on certificate authorities for the establishment of secure sessions includes the use of Transport Layer Security (TLS) certificates. These certificates, after verification by their respective certificate authorities, facilitate the establishment of protected sessions between web clients and web servers.

 -

only the use of for verification of the establishment of protected sessions is allowed.

+

only the use of for verification of the establishment of protected sessions is allowed.

 @@ -70862,40 +67323,34 @@ Fail in Known State - + - -

types of system failures for which the system components fail to a known state are defined;

- + +

types of system failures for which the system components fail to a known state are defined;

+ - -

known system state to which system components fail in the event of a system failure is defined;

- + +

known system state to which system components fail in the event of a system failure is defined;

+ - -

system state information to be preserved in the event of a system failure is defined;

- + +

system state information to be preserved in the event of a system failure is defined;

+ - - + + @@ -70905,15 +67360,14 @@ -

Fail to a for the following failures on the indicated components while preserving in failure: .

+

Fail to a for the following failures on the indicated components while preserving in failure: .

Failure in a known state addresses security concerns in accordance with the mission and business needs of organizations. Failure in a known state prevents the loss of confidentiality, integrity, or availability of information in the event of failures of organizational systems or system components. Failure in a known safe state helps to prevent systems from failing to a state that may cause injury to individuals or destruction to property. Preserving system state information facilitates system restart and return to the operational mode with less disruption of mission and business processes.

 -

- fail to a while preserving in failure.

+

fail to a while preserving in failure.

 @@ -70954,20 +67408,18 @@ - -

system components to be employed with minimal functionality and information storage are defined;

- + +

system components to be employed with minimal functionality and information storage are defined;

+ - + -

Employ minimal functionality and information storage on the following system components: .

+

Employ minimal functionality and information storage on the following system components: .

The deployment of system components with minimal functionality reduces the need to secure every endpoint and may reduce the exposure of information, systems, and services to attacks. Reduced or minimal functionality includes diskless nodes and thin client technologies.

@@ -70976,11 +67428,11 @@ -

minimal functionality for is employed;

+

minimal functionality for is employed;

 -

minimal information storage on is allocated.

+

minimal information storage on is allocated.

 @@ -71017,9 +67469,7 @@ - + @@ -71092,27 +67542,24 @@ - -

platform-independent applications to be included within organizational systems are defined;

- + +

platform-independent applications to be included within organizational systems are defined;

+ - + -

Include within organizational systems the following platform independent applications: .

+

Include within organizational systems the following platform independent applications: .

Platforms are combinations of hardware, firmware, and software components used to execute software applications. Platforms include operating systems, the underlying computer architectures, or both. Platform-independent applications are applications with the capability to execute on multiple platforms. Such applications promote portability and reconstitution on different platforms. Application portability and the ability to reconstitute on different platforms increase the availability of mission-essential functions within organizations in situations where systems with specific operating systems are under attack.

 -

- are included within organizational systems.

+

are included within organizational systems.

 @@ -71159,16 +67606,14 @@ - -

information at rest requiring protection is defined;

- + +

information at rest requiring protection is defined;

+ - + @@ -71198,14 +67643,14 @@ -

Protect the of the following information at rest: .

+

Protect the of the following information at rest: .

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

 -

the of is/are protected.

+

the of is/are protected.

 @@ -71243,30 +67688,28 @@ - -

information requiring cryptographic protection is defined;

- + +

information requiring cryptographic protection is defined;

+ - -

system components or media requiring cryptographic protection is/are defined;

- + +

system components or media requiring cryptographic protection is/are defined;

+ - + -

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

+

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on : .

The selection of cryptographic mechanisms is based on the need to protect the confidentiality and integrity of organizational information. The strength of mechanism is commensurate with the security category or classification of the information. Organizations have the flexibility to encrypt information on system components or media or encrypt data structures, including files, records, or fields.

@@ -71275,11 +67718,11 @@ -

cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ;

+

cryptographic mechanisms are implemented to prevent unauthorized disclosure of at rest on ;

 -

cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on .

+

cryptographic mechanisms are implemented to prevent unauthorized modification of at rest on .

 @@ -71319,19 +67762,17 @@ - -

information to be removed from online storage and stored offline in a secure location is defined;

- + +

information to be removed from online storage and stored offline in a secure location is defined;

+ - + -

Remove the following information from online storage and store offline in a secure location: .

+

Remove the following information from online storage and store offline in a secure location: .

Removing organizational information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to the information through a network. Therefore, organizations may choose to move information to offline storage in lieu of protecting such information in online storage.

@@ -71340,13 +67781,11 @@ -

- is removed from online storage;

+

is removed from online storage;

 -

- is stored offline in a secure location.

+

is stored offline in a secure location.

 @@ -71387,9 +67826,7 @@ @@ -71397,31 +67834,27 @@ - -

safeguards for protecting the storage of cryptographic keys are defined (if selected);

- + +

safeguards for protecting the storage of cryptographic keys are defined (if selected);

+ - - + + -

Provide protected storage for cryptographic keys .

+

Provide protected storage for cryptographic keys .

A Trusted Platform Module (TPM) is an example of a hardware-protected data store that can be used to protect cryptographic keys.

 -

protected storage for cryptographic keys is provided using .

+

protected storage for cryptographic keys is provided using .

 @@ -71460,33 +67893,29 @@ - -

system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined;

- + +

system components requiring a diverse set of information technologies to be employed in the implementation of the system are defined;

+ - - + + -

Employ a diverse set of information technologies for the following system components in the implementation of the system: .

+

Employ a diverse set of information technologies for the following system components in the implementation of the system: .

Increasing the diversity of information technologies within organizational systems reduces the impact of potential exploitations or compromises of specific technologies. Such diversity protects against common mode failures, including those failures induced by supply chain attacks. Diversity in information technologies also reduces the likelihood that the means adversaries use to compromise one system component will be effective against other system components, thus further increasing the adversary work factor to successfully complete planned attacks. An increase in diversity may add complexity and management overhead that could ultimately lead to mistakes and unauthorized configurations.

 -

a diverse set of information technologies is employed for in the implementation of the system.

+

a diverse set of information technologies is employed for in the implementation of the system.

 @@ -71524,29 +67953,25 @@ - -

the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined;

- + +

the frequency at which to change the diversity of operating systems and applications deployed using virtualization techniques is defined;

+ - - + + -

Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed .

+

Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed .

While frequent changes to operating systems and applications can pose significant configuration management challenges, the changes can result in an increased work factor for adversaries to conduct successful attacks. Changing virtual operating systems or applications, as opposed to changing actual operating systems or applications, provides virtual changes that impede attacker success while reducing configuration management efforts. Virtualization techniques can assist in isolating untrustworthy software or software of dubious provenance into confined execution environments.

 -

virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed .

+

virtualization techniques are employed to support the deployment of a diverse range of operating systems and applications that are changed .

 @@ -71590,35 +68015,31 @@ - -

concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined;

- + +

concealment and misdirection techniques to be employed to confuse and mislead adversaries potentially targeting systems are defined;

+ - -

systems for which concealment and misdirection techniques are to be employed are defined;

- + +

systems for which concealment and misdirection techniques are to be employed are defined;

+ - -

time periods to employ concealment and misdirection techniques for systems are defined;

- + +

time periods to employ concealment and misdirection techniques for systems are defined;

+ - - + + @@ -71626,15 +68047,14 @@ -

Employ the following concealment and misdirection techniques for at to confuse and mislead adversaries: .

+

Employ the following concealment and misdirection techniques for at to confuse and mislead adversaries: .

Concealment and misdirection techniques can significantly reduce the targeting capabilities of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. For example, virtualization techniques provide organizations with the ability to disguise systems, potentially reducing the likelihood of successful attacks without the cost of having multiple platforms. The increased use of concealment and misdirection techniques and methods—including randomness, uncertainty, and virtualization—may sufficiently confuse and mislead adversaries and subsequently increase the risk of discovery and/or exposing tradecraft. Concealment and misdirection techniques may provide additional time to perform core mission and business functions. The implementation of concealment and misdirection techniques may add to the complexity and management overhead required for the system.

 -

- are employed for for to confuse and mislead adversaries.

+

are employed for for to confuse and mislead adversaries.

 @@ -71681,30 +68101,25 @@ - -

techniques employed to introduce randomness into organizational operations and assets are defined;

- + +

techniques employed to introduce randomness into organizational operations and assets are defined;

+ - - + + -

Employ to introduce randomness into organizational operations and assets.

+

Employ to introduce randomness into organizational operations and assets.

Randomness introduces increased levels of uncertainty for adversaries regarding the actions that organizations take to defend their systems against attacks. Such actions may impede the ability of adversaries to correctly target information resources of organizations that support critical missions or business functions. Uncertainty may also cause adversaries to hesitate before initiating or continuing attacks. Misdirection techniques that involve randomness include performing certain routine actions at different times of day, employing different information technologies, using different suppliers, and rotating roles and responsibilities of organizational personnel.

 -

- are employed to introduce randomness into organizational operations and assets.

+

are employed to introduce randomness into organizational operations and assets.

 @@ -71744,17 +68159,15 @@ - -

processing and/or storage locations to be changed are defined;

- + +

processing and/or storage locations to be changed are defined;

+ @@ -71762,30 +68175,25 @@ - -

time frequency at which to change the location of processing and/or storage is defined (if selected);

- + +

time frequency at which to change the location of processing and/or storage is defined (if selected);

+ - - + + -

Change the location of - ].

+

Change the location of ].

Adversaries target critical mission and business functions and the systems that support those mission and business functions while also trying to minimize the exposure of their existence and tradecraft. The static, homogeneous, and deterministic nature of organizational systems targeted by adversaries make such systems more susceptible to attacks with less adversary cost and effort to be successful. Changing processing and storage locations (also referred to as moving target defense) addresses the advanced persistent threat using techniques such as virtualization, distributed processing, and replication. This enables organizations to relocate the system components (i.e., processing, storage) that support critical mission and business functions. Changing the locations of processing activities and/or storage sites introduces a degree of uncertainty into the targeting activities of adversaries. The targeting uncertainty increases the work factor of adversaries and makes compromises or breaches of the organizational systems more difficult and time-consuming. It also increases the chances that adversaries may inadvertently disclose certain aspects of their tradecraft while attempting to locate critical organizational resources.

 -

the location of is changed .

+

the location of is changed .

 @@ -71825,29 +68233,25 @@ - -

system components for which realistic but misleading information about their security state or posture is employed are defined;

- + +

system components for which realistic but misleading information about their security state or posture is employed are defined;

+ - - + + -

Employ realistic, but misleading information in about its security state or posture.

+

Employ realistic, but misleading information in about its security state or posture.

Employing misleading information is intended to confuse potential adversaries regarding the nature and extent of controls deployed by organizations. Thus, adversaries may employ incorrect and ineffective attack techniques. One technique for misleading adversaries is for organizations to place misleading information regarding the specific controls deployed in external systems that are known to be targeted by adversaries. Another technique is the use of deception nets that mimic actual aspects of organizational systems but use, for example, out-of-date software configurations.

 -

realistic but misleading information about the security state or posture of is employed.

+

realistic but misleading information about the security state or posture of is employed.

 @@ -71886,38 +68290,33 @@ - -

techniques to be employed to hide or conceal system components are defined;

- + +

techniques to be employed to hide or conceal system components are defined;

+ - -

system components to be hidden or concealed using techniques (defined in SC-30(05)_ODP[01]) are defined;

- + +

system components to be hidden or concealed using techniques (defined in SC-30(05)_ODP[01]) are defined;

+ - - + + -

Employ the following techniques to hide or conceal : .

+

Employ the following techniques to hide or conceal : .

By hiding, disguising, or concealing critical system components, organizations may be able to decrease the probability that adversaries target and successfully compromise those assets. Potential means to hide, disguise, or conceal system components include the configuration of routers or the use of encryption or virtualization techniques.

 -

- are employed to hide or conceal .

+

are employed to hide or conceal .

 @@ -71965,12 +68364,8 @@ - - + + @@ -71978,7 +68373,7 @@ -

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert channels; and

+

Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert channels; and

 @@ -71992,7 +68387,7 @@ -

a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert channels;

+

a covert channel analysis is performed to identify those aspects of communications within the system that are potential avenues for covert channels;

 @@ -72037,12 +68432,8 @@ - - + +

Test a subset of the identified covert channels to determine the channels that are exploitable.

@@ -72101,29 +68492,25 @@ - -

values for the maximum bandwidth for identified covert channels are defined;

- + +

values for the maximum bandwidth for identified covert channels are defined;

+ - - + + -

Reduce the maximum bandwidth for identified covert channels to .

+

Reduce the maximum bandwidth for identified covert channels to .

The complete elimination of covert channels, especially covert timing channels, is usually not possible without significant performance impacts.

 -

the maximum bandwidth for identified covert channels is reduced to .

+

the maximum bandwidth for identified covert channels is reduced to .

 @@ -72167,29 +68554,25 @@ - -

subset of identified covert channels whose bandwidth is to be measured in the operational environment of the system is defined;

- + +

subset of identified covert channels whose bandwidth is to be measured in the operational environment of the system is defined;

+ - - + + -

Measure the bandwidth of in the operational environment of the system.

+

Measure the bandwidth of in the operational environment of the system.

Measuring covert channel bandwidth in specified operational environments helps organizations determine how much information can be covertly leaked before such leakage adversely affects mission or business functions. Covert channel bandwidth may be significantly different when measured in settings that are independent of the specific environments of operation, including laboratories or system development environments.

 -

the bandwidth of is measured in the operational environment of the system.

+

the bandwidth of is measured in the operational environment of the system.

 @@ -72232,9 +68615,9 @@ - -

system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined;

- + +

system components to reside in separate physical or logical domains or environments based on circumstances for the physical or logical separation of components are defined;

+ @@ -72246,27 +68629,19 @@ - + - -

circumstances for the physical or logical separation of components are defined;

- + +

circumstances for the physical or logical separation of components are defined;

+ - - - + + + @@ -72277,14 +68652,14 @@ -

Partition the system into residing in separate domains or environments based on .

+

Partition the system into residing in separate domains or environments based on .

System partitioning is part of a defense-in-depth protection strategy. Organizations determine the degree of physical separation of system components. Physical separation options include physically distinct components in separate racks in the same room, critical components in separate rooms, and geographical separation of critical components. Security categorization can guide the selection of candidates for domain partitioning. Managed interfaces restrict or prohibit network access and information flow among partitioned system components.

 -

the system is partitioned into residing in separate domains or environments based on .

+

the system is partitioned into residing in separate domains or environments based on .

 @@ -72324,15 +68699,9 @@ - - - + + +

Partition privileged functions into separate physical domains.

@@ -72393,39 +68762,35 @@ - -

system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined;

- + +

system components for which the operating environment and applications are to be loaded and executed from hardware-enforced, read-only media are defined;

+ - -

applications to be loaded and executed from hardware-enforced, read-only media are defined;

- + +

applications to be loaded and executed from hardware-enforced, read-only media are defined;

+ - - + + -

For , load and execute:

+

For , load and execute:

The operating environment from hardware-enforced, read-only media; and

 -

The following applications from hardware-enforced, read-only media: .

+

The following applications from hardware-enforced, read-only media: .

 @@ -72435,12 +68800,11 @@ -

the operating environment for is loaded and executed from hardware-enforced, read-only media;

+

the operating environment for is loaded and executed from hardware-enforced, read-only media;

 -

- for are loaded and executed from hardware-enforced, read-only media.

+

for are loaded and executed from hardware-enforced, read-only media.

 @@ -72486,32 +68850,27 @@ - -

system components to be employed with no writeable storage are defined;

- + +

system components to be employed with no writeable storage are defined;

+ - - + + -

Employ with no writeable storage that is persistent across component restart or power on/off.

+

Employ with no writeable storage that is persistent across component restart or power on/off.

Disallowing writeable storage eliminates the possibility of malicious code insertion via persistent, writeable storage within the designated system components. The restriction applies to fixed and removable storage, with the latter being addressed either directly or as specific restrictions imposed through access controls for mobile devices.

 -

- are employed with no writeable storage that is persistent across component restart or power on/off.

+

are employed with no writeable storage that is persistent across component restart or power on/off.

 @@ -72552,12 +68911,8 @@ - - + + @@ -72630,9 +68985,7 @@ - + @@ -72642,7 +68995,7 @@

Include system components that proactively seek to identify network-based malicious code or malicious websites.

 -

External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.

+

External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.

 @@ -72683,32 +69036,24 @@ Distributed Processing and Storage - - + + - - + + - -

processing components to be distributed across multiple locations/domains are defined;

- + +

processing components to be distributed across multiple locations/domains are defined;

+ @@ -72720,9 +69065,9 @@ - -

storage components to be distributed across multiple locations/domains are defined;

- + +

storage components to be distributed across multiple locations/domains are defined;

+ @@ -72734,19 +69079,15 @@ - - + + -

Distribute the following processing and storage components across multiple : .

+

Distribute the following processing and storage components across multiple : .

Distributing processing and storage across multiple physical locations or logical domains provides a degree of redundancy or overlap for organizations. The redundancy and overlap increase the work factor of adversaries to adversely impact organizational operations, assets, and individuals. The use of distributed processing and storage does not assume a single primary processing or storage location. Therefore, it allows for parallel processing and storage.

@@ -72755,13 +69096,11 @@ -

- are distributed across ;

+

are distributed across ;

 -

- are distributed across .

+

are distributed across .

 @@ -72807,37 +69146,33 @@ - -

distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises are defined;

- + +

distributed processing and storage components for which polling techniques are to be employed to identify potential faults, errors, or compromises are defined;

+ - -

actions to be taken in response to identified faults, errors, or compromise are defined;

- + +

actions to be taken in response to identified faults, errors, or compromise are defined;

+ - - + + -

Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: ; and

+

Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: ; and

 -

Take the following actions in response to identified faults, errors, or compromises: .

+

Take the following actions in response to identified faults, errors, or compromises: .

 @@ -72847,12 +69182,11 @@ -

polling techniques are employed to identify potential faults, errors, or compromises to ;

+

polling techniques are employed to identify potential faults, errors, or compromises to ;

 -

- are taken in response to identified faults, errors, or compromise.

+

are taken in response to identified faults, errors, or compromise.

 @@ -72894,32 +69228,26 @@ - -

duplicate systems or system components to be synchronized are defined;

- + +

duplicate systems or system components to be synchronized are defined;

+ - - + + -

Synchronize the following duplicate systems or system components: .

+

Synchronize the following duplicate systems or system components: .

 -

- SC-36 and CP-9(6) require the duplication of systems or system components in distributed locations. The synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed.

+

SC-36 and CP-9(6) require the duplication of systems or system components in distributed locations. The synchronization of duplicated and redundant services and data helps to ensure that information contained in the distributed locations can be used in the mission or business functions of organizations, as needed.

 -

- are synchronized.

+

are synchronized.

 @@ -72961,35 +69289,31 @@ - -

out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components, or devices to individuals or the system are defined;

- + +

out-of-band channels to be employed for the physical delivery or electronic transmission of information, system components, or devices to individuals or the system are defined;

+ - -

information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined;

- + +

information, system components, or devices to employ out-of-band-channels for physical delivery or electronic transmission are defined;

+ - -

individuals or systems to which physical delivery or electronic transmission of information, system components, or devices is to be achieved via the employment of out-of-band channels are defined;

- + +

individuals or systems to which physical delivery or electronic transmission of information, system components, or devices is to be achieved via the employment of out-of-band channels are defined;

+ - - + + @@ -73006,15 +69330,14 @@ -

Employ the following out-of-band channels for the physical delivery or electronic transmission of to : .

+

Employ the following out-of-band channels for the physical delivery or electronic transmission of to : .

Out-of-band channels include local, non-network accesses to systems; network paths physically separate from network paths used for operational traffic; or non-electronic paths, such as the U.S. Postal Service. The use of out-of-band channels is contrasted with the use of in-band channels (i.e., the same channels) that carry routine operational traffic. Out-of-band channels do not have the same vulnerability or exposure as in-band channels. Therefore, the confidentiality, integrity, or availability compromises of in-band channels will not compromise or adversely affect the out-of-band channels. Organizations may employ out-of-band channels in the delivery or transmission of organizational items, including authenticators and credentials; cryptographic key management information; system and data backups; configuration management changes for hardware, firmware, or software; security updates; maintenance information; and malicious code protection updates.

 -

- are employed for the physical delivery or electronic transmission of to .

+

are employed for the physical delivery or electronic transmission of to .

 @@ -73061,46 +69384,41 @@ - -

controls to be employed to ensure that only designated individuals or systems receive specific information, system components, or devices are defined;

- + +

controls to be employed to ensure that only designated individuals or systems receive specific information, system components, or devices are defined;

+ - -

individuals or systems designated to receive specific information, system components, or devices are defined;

- + +

individuals or systems designated to receive specific information, system components, or devices are defined;

+ - -

information, system components, or devices that only individuals or systems are designated to receive are defined;

- + +

information, system components, or devices that only individuals or systems are designated to receive are defined;

+ - - + + -

Employ to ensure that only receive the following information, system components, or devices: .

+

Employ to ensure that only receive the following information, system components, or devices: .

Techniques employed by organizations to ensure that only designated systems or individuals receive certain information, system components, or devices include sending authenticators via an approved courier service but requiring recipients to show some form of government-issued photographic identification as a condition of receipt.

 -

- are employed to ensure that only receive .

+

are employed to ensure that only receive .

 @@ -73149,19 +69467,15 @@ - -

operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined;

- + +

operations security controls to be employed to protect key organizational information throughout the system development life cycle are defined;

+ - - + + @@ -73174,15 +69488,14 @@ -

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: .

+

Employ the following operations security controls to protect key organizational information throughout the system development life cycle: .

Operations security (OPSEC) is a systematic process by which potential adversaries can be denied information about the capabilities and intentions of organizations by identifying, controlling, and protecting generally unclassified information that specifically relates to the planning and execution of sensitive organizational activities. The OPSEC process involves five steps: identification of critical information, analysis of threats, analysis of vulnerabilities, assessment of risks, and the application of appropriate countermeasures. OPSEC controls are applied to organizational systems and the environments in which those systems operate. OPSEC controls protect the confidentiality of information, including limiting the sharing of information with suppliers, potential suppliers, and other non-organizational elements and individuals. Information critical to organizational mission and business functions includes user identities, element uses, suppliers, supply chain processes, functional requirements, security requirements, system design specifications, testing and evaluation protocols, and security control implementation details.

 -

- are employed to protect key organizational information throughout the system development life cycle.

+

are employed to protect key organizational information throughout the system development life cycle.

 @@ -73225,12 +69538,8 @@ - - + + @@ -73281,12 +69590,8 @@ - - + +

Implement hardware separation mechanisms to facilitate process isolation.

@@ -73337,29 +69642,25 @@ - -

multi-thread processing for which a separate execution domain is to be maintained for each thread is defined;

- + +

multi-thread processing for which a separate execution domain is to be maintained for each thread is defined;

+ - - + + -

Maintain a separate execution domain for each thread in .

+

Maintain a separate execution domain for each thread in .

None.

 -

a separate execution domain is maintained for each thread in .

+

a separate execution domain is maintained for each thread in .

 @@ -73400,61 +69701,51 @@ Wireless Link Protection - - + + - - + + - -

external wireless links to be protected from particular types of signal parameter attacks are defined;

- + +

external wireless links to be protected from particular types of signal parameter attacks are defined;

+ - -

types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined;

- + +

types of signal parameter attacks or references to sources for such attacks from which to protect external wireless links are defined;

+ - -

internal wireless links to be protected from particular types of signal parameter attacks are defined;

- + +

internal wireless links to be protected from particular types of signal parameter attacks are defined;

+ - -

types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined;

- + +

types of signal parameter attacks or references to sources for such attacks from which to protect internal wireless links are defined;

+ - + -

Protect external and internal from the following signal parameter attacks: .

+

Protect external and internal from the following signal parameter attacks: .

Wireless link protection applies to internal and external wireless communication links that may be visible to individuals who are not authorized system users. Adversaries can exploit the signal parameters of wireless links if such links are not adequately protected. There are many ways to exploit the signal parameters of wireless links to gain intelligence, deny service, or spoof system users. Protection of wireless links reduces the impact of attacks that are unique to wireless systems. If organizations rely on commercial service providers for transmission services as commodity items rather than as fully dedicated services, it may not be possible to implement wireless link protections to the extent necessary to meet organizational security requirements.

@@ -73463,11 +69754,11 @@ -

external are protected from .

+

external are protected from .

 -

internal are protected from .

+

internal are protected from .

 @@ -73512,29 +69803,27 @@ - -

level of protection to be employed against the effects of intentional electromagnetic interference is defined;

- + +

level of protection to be employed against the effects of intentional electromagnetic interference is defined;

+ - + -

Implement cryptographic mechanisms that achieve against the effects of intentional electromagnetic interference.

+

Implement cryptographic mechanisms that achieve against the effects of intentional electromagnetic interference.

The implementation of cryptographic mechanisms for electromagnetic interference protects systems against intentional jamming that might deny or impair communications by ensuring that wireless spread spectrum waveforms used to provide anti-jam protection are not predictable by unauthorized individuals. The implementation of cryptographic mechanisms may also coincidentally mitigate the effects of unintentional jamming due to interference from legitimate transmitters that share the same spectrum. Mission requirements, projected threats, concept of operations, and laws, executive orders, directives, regulations, policies, and standards determine levels of wireless link availability, cryptography needed, and performance.

 -

cryptographic mechanisms that achieve against the effects of intentional electromagnetic interference are implemented.

+

cryptographic mechanisms that achieve against the effects of intentional electromagnetic interference are implemented.

 @@ -73579,28 +69868,26 @@ - -

the level of reduction to be achieved to reduce the detection potential of wireless links is defined;

- + +

the level of reduction to be achieved to reduce the detection potential of wireless links is defined;

+ - + -

Implement cryptographic mechanisms to reduce the detection potential of wireless links to .

+

Implement cryptographic mechanisms to reduce the detection potential of wireless links to .

The implementation of cryptographic mechanisms to reduce detection potential is used for covert communications and to protect wireless transmitters from geo-location. It also ensures that the spread spectrum waveforms used to achieve a low probability of detection are not predictable by unauthorized individuals. Mission requirements, projected threats, concept of operations, and applicable laws, executive orders, directives, regulations, policies, and standards determine the levels to which wireless links are undetectable.

 -

cryptographic mechanisms to reduce the detection potential of wireless links to are implemented.

+

cryptographic mechanisms to reduce the detection potential of wireless links to are implemented.

 @@ -73644,9 +69931,7 @@ - + @@ -73702,28 +69987,26 @@ - -

wireless transmitters for which cryptographic mechanisms are to be implemented are defined;

- + +

wireless transmitters for which cryptographic mechanisms are to be implemented are defined;

+ - + -

Implement cryptographic mechanisms to prevent the identification of by using the transmitter signal parameters.

+

Implement cryptographic mechanisms to prevent the identification of by using the transmitter signal parameters.

The implementation of cryptographic mechanisms to prevent the identification of wireless transmitters protects against the unique identification of wireless transmitters for the purposes of intelligence exploitation by ensuring that anti-fingerprinting alterations to signal parameters are not predictable by unauthorized individuals. It also provides anonymity when required. Radio fingerprinting techniques identify the unique signal parameters of transmitters to fingerprint such transmitters for purposes of tracking and mission or user identification.

 -

cryptographic mechanisms are implemented to prevent the identification of by using the transmitter signal parameters.

+

cryptographic mechanisms are implemented to prevent the identification of by using the transmitter signal parameters.

 @@ -73767,9 +70050,9 @@ - -

connection ports or input/output devices to be disabled or removed are defined;

- + +

connection ports or input/output devices to be disabled or removed are defined;

+ @@ -73783,32 +70066,26 @@ - -

systems or system components with connection ports or input/output devices to be disabled or removed are defined;

- + +

systems or system components with connection ports or input/output devices to be disabled or removed are defined;

+ - - + + -

- disable or remove on the following systems or system components: .

+

disable or remove on the following systems or system components: .

Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/output (I/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action.

 -

- are disabled or removed on .

+

are disabled or removed on .

 @@ -73849,61 +70126,57 @@ - -

environmental sensing capabilities in devices are defined (if selected);

- + +

environmental sensing capabilities in devices are defined (if selected);

+ - -

facilities, areas, or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined (if selected);

- + +

facilities, areas, or systems where the use of devices possessing environmental sensing capabilities is prohibited are defined (if selected);

+ - -

exceptions where remote activation of sensors is allowed are defined (if selected);

- + +

exceptions where remote activation of sensors is allowed are defined (if selected);

+ - -

group of users to whom an explicit indication of sensor use is to be provided is defined;

- + +

group of users to whom an explicit indication of sensor use is to be provided is defined;

+ - + -

Prohibit ; and

+

Prohibit ; and

 -

Provide an explicit indication of sensor use to .

+

Provide an explicit indication of sensor use to .

 @@ -73913,12 +70186,11 @@ -

- is/are prohibited;

+

is/are prohibited;

 -

an explicit indication of sensor use is provided to .

+

an explicit indication of sensor use is provided to .

 @@ -73962,26 +70234,24 @@ - -

sensors to be used to collect data or information are defined;

- + +

sensors to be used to collect data or information are defined;

+ - + -

Verify that the system is configured so that data or information collected by the is only reported to authorized individuals or roles.

+

Verify that the system is configured so that data or information collected by the is only reported to authorized individuals or roles.

In situations where sensors are activated by authorized individuals, it is still possible that the data or information collected by the sensors will be sent to unauthorized entities.

 -

the system is configured so that data or information collected by the is only reported to authorized individuals or roles.

+

the system is configured so that data or information collected by the is only reported to authorized individuals or roles.

 @@ -74026,29 +70296,26 @@ - -

measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined;

- + +

measures to be employed so that data or information collected by sensors is only used for authorized purposes are defined;

+ - + -

Employ the following measures so that data or information collected by is only used for authorized purposes: .

+

Employ the following measures so that data or information collected by is only used for authorized purposes: .

Information collected by sensors for a specific authorized purpose could be misused for some unauthorized purpose. For example, GPS sensors that are used to support traffic navigation could be misused to track the movements of individuals. Measures to mitigate such activities include additional training to help ensure that authorized individuals do not abuse their authority and, in the case where sensor data is maintained by external parties, contractual restrictions on the use of such data.

 -

- are employed so that data or information collected by is only used for authorized purposes.

+

are employed so that data or information collected by is only used for authorized purposes.

 @@ -74101,39 +70368,35 @@ - -

measures to facilitate an individual’s awareness that personally identifiable information is being collected are defined;

- + +

measures to facilitate an individual’s awareness that personally identifiable information is being collected are defined;

+ - -

sensors that collect personally identifiable information are defined;

- + +

sensors that collect personally identifiable information are defined;

+ - + -

Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by : .

+

Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by : .

Awareness that organizational sensors are collecting data enables individuals to more effectively engage in managing their privacy. Measures can include conventional written notices and sensor configurations that make individuals directly or indirectly aware through other devices that the sensor is collecting information. The usability and efficacy of the notice are important considerations.

 -

- are employed to facilitate an individual’s awareness that personally identifiable information is being collected by -

+

are employed to facilitate an individual’s awareness that personally identifiable information is being collected by

@@ -74181,28 +70444,26 @@ - -

the sensors that are configured to minimize the collection of unneeded information about individuals are defined;

- + +

the sensors that are configured to minimize the collection of unneeded information about individuals are defined;

+ - + -

Employ that are configured to minimize the collection of information about individuals that is not needed.

+

Employ that are configured to minimize the collection of information about individuals that is not needed.

Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features, such as blurring or pixelating flesh tones.

 -

the configured to minimize the collection of information about individuals that is not needed are employed.

+

the configured to minimize the collection of information about individuals that is not needed are employed.

 @@ -74252,19 +70513,15 @@ - -

the components for which usage restrictions and implementation guidance are to be established are defined;

- + +

the components for which usage restrictions and implementation guidance are to be established are defined;

+ - - + + @@ -74275,7 +70532,7 @@ -

Establish usage restrictions and implementation guidelines for the following system components: ; and

+

Establish usage restrictions and implementation guidelines for the following system components: ; and

 @@ -74289,21 +70546,21 @@ -

usage restrictions and implementation guidelines are established for ;

+

usage restrictions and implementation guidelines are established for ;

 -

the use of is authorized within the system;

+

the use of is authorized within the system;

 -

the use of is monitored within the system;

+

the use of is monitored within the system;

 -

the use of is controlled within the system.

+

the use of is controlled within the system.

 @@ -74346,16 +70603,14 @@ - -

the system, system component, or location where a detonation chamber capability is to be employed is defined;

- + +

the system, system component, or location where a detonation chamber capability is to be employed is defined;

+ - + @@ -74367,14 +70622,14 @@ -

Employ a detonation chamber capability within .

+

Employ a detonation chamber capability within .

Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.

 -

a detonation chamber capability is employed within the .

+

a detonation chamber capability is employed within the .

 @@ -74411,9 +70666,7 @@ - + @@ -74464,41 +70717,39 @@ - -

the frequency at which to compare the internal system clocks with the authoritative time source is defined;

- + +

the frequency at which to compare the internal system clocks with the authoritative time source is defined;

+ - -

the authoritative time source to which internal system clocks are to be compared is defined;

- + +

the authoritative time source to which internal system clocks are to be compared is defined;

+ - -

the time period to compare the internal system clocks with the authoritative time source is defined;

- + +

the time period to compare the internal system clocks with the authoritative time source is defined;

+ - + -

Compare the internal system clocks with ; and

+

Compare the internal system clocks with ; and

 -

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

+

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

 @@ -74508,11 +70759,11 @@ -

the internal system clocks are compared with ;

+

the internal system clocks are compared with ;

 -

the internal system clocks are synchronized with the authoritative time source when the time difference is greater than .

+

the internal system clocks are synchronized with the authoritative time source when the time difference is greater than .

 @@ -74550,9 +70801,7 @@ - + @@ -74622,21 +70871,19 @@ - + -

Implement a policy enforcement mechanism between the physical and/or network interfaces for the connecting security domains.

+

Implement a policy enforcement mechanism between the physical and/or network interfaces for the connecting security domains.

 -

For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact ncdsmo@nsa.gov for more information.

+

For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact ncdsmo@nsa.gov for more information.

 -

a policy enforcement mechanism is implemented between the physical and/or network interfaces for the connecting security domains.

+

a policy enforcement mechanism is implemented between the physical and/or network interfaces for the connecting security domains.

 @@ -74672,39 +70919,32 @@ Alternate Communications Paths - + - -

alternate communication paths for system operations and operational command and control are defined;

- + +

alternate communication paths for system operations and operational command and control are defined;

+ - - + + -

Establish for system operations organizational command and control.

+

Establish for system operations organizational command and control.

An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident.

 -

- are established for system operations and operational command and control.

+

are established for system operations and operational command and control.

 @@ -74742,49 +70982,44 @@ - -

sensors and monitoring capabilities to be relocated are defined;

- + +

sensors and monitoring capabilities to be relocated are defined;

+ - -

locations to where sensors and monitoring capabilities are to be relocated are defined;

- + +

locations to where sensors and monitoring capabilities are to be relocated are defined;

+ - -

conditions or circumstances for relocating sensors and monitoring capabilities are defined;

- + +

conditions or circumstances for relocating sensors and monitoring capabilities are defined;

+ - - + + -

Relocate to under the following conditions or circumstances: .

+

Relocate to under the following conditions or circumstances: .

Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information that the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging.

 -

- are relocated to under .

+

are relocated to under .

 @@ -74824,46 +71059,41 @@ - -

sensors and monitoring capabilities to be dynamically relocated are defined;

- + +

sensors and monitoring capabilities to be dynamically relocated are defined;

+ - -

locations to where sensors and monitoring capabilities are to be dynamically relocated are defined;

- + +

locations to where sensors and monitoring capabilities are to be dynamically relocated are defined;

+ - -

conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined;

- + +

conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined;

+ - - + + -

Dynamically relocate to under the following conditions or circumstances: .

+

Dynamically relocate to under the following conditions or circumstances: .

None.

 -

- are dynamically relocated to under .

+

are dynamically relocated to under .

 @@ -74905,35 +71135,29 @@ - -

security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined;

- + +

security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined;

+ - - - + + + -

Implement hardware-enforced separation and policy enforcement mechanisms between .

+

Implement hardware-enforced separation and policy enforcement mechanisms between .

System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.

 -

hardware-enforced separation and policy enforcement mechanisms are implemented between .

+

hardware-enforced separation and policy enforcement mechanisms are implemented between .

 @@ -74971,22 +71195,16 @@ - -

security domains requiring software-enforced separation and policy enforcement mechanisms are defined;

- + +

security domains requiring software-enforced separation and policy enforcement mechanisms are defined;

+ - - - + + + @@ -74995,14 +71213,14 @@ -

Implement software-enforced separation and policy enforcement mechanisms between .

+

Implement software-enforced separation and policy enforcement mechanisms between .

System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.

 -

software-enforced separation and policy enforcement mechanisms are implemented between .

+

software-enforced separation and policy enforcement mechanisms are implemented between .

 @@ -75040,38 +71258,32 @@ - -

system firmware components requiring hardware-based write-protect are defined;

- + +

system firmware components requiring hardware-based write-protect are defined;

+ - -

authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined;

- + +

authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined;

+ - - - + + + -

Employ hardware-based, write-protect for ; and

+

Employ hardware-based, write-protect for ; and

 -

Implement specific procedures for to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

+

Implement specific procedures for to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

 @@ -75081,17 +71293,17 @@ -

hardware-based write-protect for is employed;

+

hardware-based write-protect for is employed;

 -

specific procedures are implemented for to manually disable hardware write-protect for firmware modifications;

+

specific procedures are implemented for to manually disable hardware write-protect for firmware modifications;

 -

specific procedures are implemented for to re-enable the write-protect prior to returning to operational mode.

+

specific procedures are implemented for to re-enable the write-protect prior to returning to operational mode.

 @@ -75134,27 +71346,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

- + +

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

+ - -

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

- + +

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

+ @@ -75169,51 +71377,47 @@ - -

an official to manage the system and information integrity policy and procedures is defined;

- + +

an official to manage the system and information integrity policy and procedures is defined;

+ - -

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

- + +

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

+ - -

events that would require the current system and information integrity policy to be reviewed and updated are defined;

- + +

events that would require the current system and information integrity policy to be reviewed and updated are defined;

+ - -

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

- + +

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

+ - -

events that would require the system and information integrity procedures to be reviewed and updated are defined;

- + +

events that would require the system and information integrity procedures to be reviewed and updated are defined;

+ - - + + @@ -75224,11 +71428,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- system and information integrity policy that:

+

system and information integrity policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -75245,18 +71448,18 @@ -

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

Review and update the current system and information integrity:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -75273,7 +71476,7 @@ -

the system and information integrity policy is disseminated to ;

+

the system and information integrity policy is disseminated to ;

 @@ -75281,7 +71484,7 @@ -

the system and information integrity procedures are disseminated to ;

+

the system and information integrity procedures are disseminated to ;

 @@ -75289,42 +71492,42 @@ -

the system and information integrity policy addresses purpose;

+

the system and information integrity policy addresses purpose;

 -

the system and information integrity policy addresses scope;

+

the system and information integrity policy addresses scope;

 -

the system and information integrity policy addresses roles;

+

the system and information integrity policy addresses roles;

 -

the system and information integrity policy addresses responsibilities;

+

the system and information integrity policy addresses responsibilities;

 -

the system and information integrity policy addresses management commitment;

+

the system and information integrity policy addresses management commitment;

 -

the system and information integrity policy addresses coordination among organizational entities;

+

the system and information integrity policy addresses coordination among organizational entities;

 -

the system and information integrity policy addresses compliance;

+

the system and information integrity policy addresses compliance;

 -

the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;

 @@ -75332,22 +71535,22 @@ -

the current system and information integrity policy is reviewed and updated ;

+

the current system and information integrity policy is reviewed and updated ;

 -

the current system and information integrity policy is reviewed and updated following ;

+

the current system and information integrity policy is reviewed and updated following ;

 -

the current system and information integrity procedures are reviewed and updated ;

+

the current system and information integrity procedures are reviewed and updated ;

 -

the current system and information integrity procedures are reviewed and updated following .

+

the current system and information integrity procedures are reviewed and updated following .

 @@ -75378,16 +71581,14 @@ - -

time period within which to install security-relevant software updates after the release of the updates is defined;

- + +

time period within which to install security-relevant software updates after the release of the updates is defined;

+ - + @@ -75421,7 +71622,7 @@ -

Install security-relevant software and firmware updates within of the release of the updates; and

+

Install security-relevant software and firmware updates within of the release of the updates; and

 @@ -75472,11 +71673,11 @@ -

security-relevant software updates are installed within of the release of the updates;

+

security-relevant software updates are installed within of the release of the updates;

 -

security-relevant firmware updates are installed within of the release of the updates;

+

security-relevant firmware updates are installed within of the release of the updates;

 @@ -75536,37 +71737,34 @@ - -

automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;

- + +

automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;

+ - -

the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;

- + +

the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;

+ - + -

Determine if system components have applicable security-relevant software and firmware updates installed using - .

+

Determine if system components have applicable security-relevant software and firmware updates installed using .

Automated mechanisms can track and determine the status of known flaws for system components.

 -

system components have applicable security-relevant software and firmware updates installed using .

+

system components have applicable security-relevant software and firmware updates installed using .

 @@ -75607,16 +71805,14 @@ - -

the benchmarks for taking corrective actions are defined;

- + +

the benchmarks for taking corrective actions are defined;

+ - + @@ -75625,7 +71821,7 @@ -

Establish the following benchmarks for taking corrective actions: .

+

Establish the following benchmarks for taking corrective actions: .

 @@ -75639,8 +71835,7 @@ -

- for taking corrective actions have been established.

+

for taking corrective actions have been established.

 @@ -75684,29 +71879,25 @@ - -

the system components requiring automated patch management tools to facilitate flaw remediation are defined;

- + +

the system components requiring automated patch management tools to facilitate flaw remediation are defined;

+ - - + + -

Employ automated patch management tools to facilitate flaw remediation to the following system components: .

+

Employ automated patch management tools to facilitate flaw remediation to the following system components: .

Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations.

 -

automated patch management tools are employed to facilitate flaw remediation to .

+

automated patch management tools are employed to facilitate flaw remediation to .

 @@ -75751,38 +71942,33 @@ - -

security-relevant software and firmware updates to be automatically installed to system components are defined;

- + +

security-relevant software and firmware updates to be automatically installed to system components are defined;

+ - -

system components requiring security-relevant software updates to be automatically installed are defined;

- + +

system components requiring security-relevant software updates to be automatically installed are defined;

+ - - + + -

Install automatically to .

+

Install automatically to .

Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose.

 -

- are installed automatically to .

+

are installed automatically to .

 @@ -75824,29 +72010,25 @@ - -

software and firmware components to be removed after updated versions have been installed are defined;

- + +

software and firmware components to be removed after updated versions have been installed are defined;

+ - - + + -

Remove previous versions of after updated versions have been installed.

+

Remove previous versions of after updated versions have been installed.

Previous versions of software or firmware components that are not removed from the system after updates have been installed may be exploited by adversaries. Some products may automatically remove previous versions of software and firmware from the system.

 -

previous versions of are removed after updated versions have been installed.

+

previous versions of are removed after updated versions have been installed.

 @@ -75897,9 +72079,9 @@ - -

the frequency at which malicious code protection mechanisms perform scans is defined;

- + +

the frequency at which malicious code protection mechanisms perform scans is defined;

+ @@ -75915,35 +72097,30 @@ - -

action to be taken in response to malicious code detection are defined (if selected);

- + +

action to be taken in response to malicious code detection are defined (if selected);

+ - -

personnel or roles to be alerted when malicious code is detected is/are defined;

- + +

personnel or roles to be alerted when malicious code is detected is/are defined;

+ - - + + @@ -75969,7 +72146,7 @@ -

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

+

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

 @@ -75980,12 +72157,11 @@

Configure malicious code protection mechanisms to:

-

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

+

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

 -

- ; and send alert to in response to malicious code detection; and

+

; and send alert to in response to malicious code detection; and

 @@ -76004,13 +72180,11 @@ -

- malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

+

malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

 -

- malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

+

malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

 @@ -76023,22 +72197,22 @@ -

malicious code protection mechanisms are configured to perform periodic scans of the system ;

+

malicious code protection mechanisms are configured to perform periodic scans of the system ;

 -

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

+

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

 -

malicious code protection mechanisms are configured to in response to malicious code detection;

+

malicious code protection mechanisms are configured to in response to malicious code detection;

 -

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

+

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

 @@ -76116,12 +72290,8 @@ - - + + @@ -76184,16 +72354,14 @@ - -

the frequency at which to test malicious code protection mechanisms is defined;

- + +

the frequency at which to test malicious code protection mechanisms is defined;

+ - + @@ -76201,7 +72369,7 @@ -

Test malicious code protection mechanisms by introducing known benign code into the system; and

+

Test malicious code protection mechanisms by introducing known benign code into the system; and

 @@ -76215,7 +72383,7 @@ -

malicious code protection mechanisms are tested by introducing known benign code into the system;

+

malicious code protection mechanisms are tested by introducing known benign code into the system;

 @@ -76277,17 +72445,17 @@ - -

system hardware components for which unauthorized operating system commands are to be detected through the kernel application programming interface are defined;

- + +

system hardware components for which unauthorized operating system commands are to be detected through the kernel application programming interface are defined;

+ - -

unauthorized operating system commands to be detected are defined;

- + +

unauthorized operating system commands to be detected are defined;

+ @@ -76301,9 +72469,7 @@ - + @@ -76311,12 +72477,11 @@ -

Detect the following unauthorized operating system commands through the kernel application programming interface on : ; and

+

Detect the following unauthorized operating system commands through the kernel application programming interface on : ; and

 -

- .

+

.

 @@ -76326,13 +72491,11 @@ -

- are detected through the kernel application programming interface on ;

+

are detected through the kernel application programming interface on ;

 -

- is/are performed.

+

is/are performed.

 @@ -76385,21 +72548,19 @@ - -

tools and techniques to be employed to analyze the characteristics and behavior of malicious code are defined;

- + +

tools and techniques to be employed to analyze the characteristics and behavior of malicious code are defined;

+ - + -

Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: ; and

+

Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: ; and

 @@ -76413,8 +72574,7 @@ -

- are employed to analyze the characteristics and behavior of malicious code;

+

are employed to analyze the characteristics and behavior of malicious code;

 @@ -76477,64 +72637,56 @@ - -

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

- + +

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

+ - -

techniques and methods used to identify unauthorized use of the system are defined;

- + +

techniques and methods used to identify unauthorized use of the system are defined;

+ - -

system monitoring information to be provided to personnel or roles is defined;

- + +

system monitoring information to be provided to personnel or roles is defined;

+ - -

personnel or roles to whom system monitoring information is to be provided is/are defined;

- + +

personnel or roles to whom system monitoring information is to be provided is/are defined;

+ - -

a frequency for providing system monitoring to personnel or roles is defined (if selected);

- + +

a frequency for providing system monitoring to personnel or roles is defined (if selected);

+ - - - + + + @@ -76587,7 +72739,7 @@

Monitor the system to detect:

-

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

+

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

 @@ -76596,7 +72748,7 @@ -

Identify unauthorized use of the system through the following techniques and methods: ;

+

Identify unauthorized use of the system through the following techniques and methods: ;

 @@ -76624,13 +72776,12 @@ -

Provide to - .

+

Provide to .

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

-

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

+

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

 @@ -76638,7 +72789,7 @@ -

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

+

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

 @@ -76658,7 +72809,7 @@ -

unauthorized use of the system is identified through ;

+

unauthorized use of the system is identified through ;

 @@ -76692,9 +72843,7 @@ -

- is provided to - .

+

is provided to .

 @@ -76737,15 +72886,9 @@ - - - + + +

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

@@ -76804,12 +72947,8 @@ - - + + @@ -76869,12 +73008,8 @@ - - + + @@ -76936,60 +73071,48 @@ Inbound and Outbound Communications Traffic - - + + - - + + - -

the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;

- + +

the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;

+ - -

unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;

- + +

unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;

+ - -

the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;

- + +

the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;

+ - -

unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;

- + +

unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;

+ - - + + @@ -76998,7 +73121,7 @@ -

Monitor inbound and outbound communications traffic for .

+

Monitor inbound and outbound communications traffic for .

 @@ -77021,11 +73144,11 @@ -

inbound communications traffic is monitored for ;

+

inbound communications traffic is monitored for ;

 -

outbound communications traffic is monitored for .

+

outbound communications traffic is monitored for .

 @@ -77072,41 +73195,36 @@ - -

personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;

- + +

personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;

+ - -

compromise indicators are defined;

- + +

compromise indicators are defined;

+ - - + + -

Alert when the following system-generated indications of compromise or potential compromise occur: .

+

Alert when the following system-generated indications of compromise or potential compromise occur: .

 -

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.

+

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.

 -

- are alerted when system-generated occur.

+

are alerted when system-generated occur.

 @@ -77160,44 +73278,36 @@ Automated Response to Suspicious Events - + - -

incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined;

- + +

incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined;

+ - + - -

least-disruptive actions to terminate suspicious events are defined;

- + +

least-disruptive actions to terminate suspicious events are defined;

+ - - + + -

Notify of detected suspicious events; and

+

Notify of detected suspicious events; and

 -

Take the following actions upon detection: .

+

Take the following actions upon detection: .

 @@ -77207,13 +73317,11 @@ -

- are notified of detected suspicious events;

+

are notified of detected suspicious events;

 -

- are taken upon the detection of suspicious events.

+

are taken upon the detection of suspicious events.

 @@ -77270,29 +73378,25 @@ - -

a frequency at which to test intrusion-monitoring tools and mechanisms is defined;

- + +

a frequency at which to test intrusion-monitoring tools and mechanisms is defined;

+ - - + + -

Test intrusion-monitoring tools and mechanisms .

+

Test intrusion-monitoring tools and mechanisms .

Testing intrusion-monitoring tools and mechanisms is necessary to ensure that the tools and mechanisms are operating correctly and continue to satisfy the monitoring objectives of organizations. The frequency and depth of testing depends on the types of tools and mechanisms used by organizations and the methods of deployment.

 -

intrusion-monitoring tools and mechanisms are tested .

+

intrusion-monitoring tools and mechanisms are tested .

 @@ -77333,37 +73437,33 @@ - -

encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;

- + +

encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;

+ - -

system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;

- + +

system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;

+ - - + + -

Make provisions so that is visible to .

+

Make provisions so that is visible to .

Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.

 -

provisions are made so that is visible to .

+

provisions are made so that is visible to .

 @@ -77405,30 +73505,22 @@ Analyze Communications Traffic Anomalies - + - -

interior points within the system where communications traffic is to be analyzed are defined;

- + +

interior points within the system where communications traffic is to be analyzed are defined;

+ - - - + + + -

Analyze outbound communications traffic at the external interfaces to the system and selected to discover anomalies.

+

Analyze outbound communications traffic at the external interfaces to the system and selected to discover anomalies.

Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses.

@@ -77441,7 +73533,7 @@ -

outbound communications traffic at is analyzed to discover anomalies.

+

outbound communications traffic at is analyzed to discover anomalies.

 @@ -77488,49 +73580,42 @@ - -

personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined;

- + +

personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined;

+ - -

automated mechanisms used to alert personnel or roles are defined;

- + +

automated mechanisms used to alert personnel or roles are defined;

+ - -

activities that trigger alerts to personnel or are defined;

- + +

activities that trigger alerts to personnel or are defined;

+ - - - + + + -

Alert using when the following indications of inappropriate or unusual activities with security or privacy implications occur: .

+

Alert using when the following indications of inappropriate or unusual activities with security or privacy implications occur: .

 -

Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in SI-4(5) focus on information sources that are internal to the systems, such as audit records.

+

Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in SI-4(5) focus on information sources that are internal to the systems, such as audit records.

 -

- is/are alerted using when indicate inappropriate or unusual activities with security or privacy implications.

+

is/are alerted using when indicate inappropriate or unusual activities with security or privacy implications.

 @@ -77579,15 +73664,9 @@ - - - + + + @@ -77685,12 +73764,8 @@ - - + + @@ -77756,12 +73831,8 @@ - - + + @@ -77816,15 +73887,9 @@ - - - + + + @@ -77879,12 +73944,8 @@ - - + + @@ -77895,7 +73956,7 @@

Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

 -

Correlating monitoring information from a more diverse set of information sources helps to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4(16) , which correlates the various cyber monitoring information, integrated situational awareness is intended to correlate monitoring beyond the cyber domain. Correlation of monitoring information from multiple activities may help reveal attacks on organizations that are operating across multiple attack vectors.

+

Correlating monitoring information from a more diverse set of information sources helps to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4(16) , which correlates the various cyber monitoring information, integrated situational awareness is intended to correlate monitoring beyond the cyber domain. Correlation of monitoring information from multiple activities may help reveal attacks on organizations that are operating across multiple attack vectors.

 @@ -77943,30 +74004,22 @@ Analyze Traffic and Covert Exfiltration - + - -

interior points within the system where communications traffic is to be analyzed are defined;

- + +

interior points within the system where communications traffic is to be analyzed are defined;

+ - - - + + + -

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: .

+

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: .

Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography.

@@ -77979,7 +74032,7 @@ -

outbound communications traffic is analyzed at to detect covert exfiltration of information.

+

outbound communications traffic is analyzed at to detect covert exfiltration of information.

 @@ -78026,38 +74079,33 @@ - -

additional monitoring of individuals who have been identified as posing an increased level of risk is defined;

- + +

additional monitoring of individuals who have been identified as posing an increased level of risk is defined;

+ - -

sources that identify individuals who pose an increased level of risk are defined;

- + +

sources that identify individuals who pose an increased level of risk are defined;

+ - - + + -

Implement of individuals who have been identified by as posing an increased level of risk.

+

Implement of individuals who have been identified by as posing an increased level of risk.

Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

 -

- is implemented on individuals who have been identified by as posing an increased level of risk.

+

is implemented on individuals who have been identified by as posing an increased level of risk.

 @@ -78103,31 +74151,26 @@ - -

additional monitoring of privileged users is defined;

- + +

additional monitoring of privileged users is defined;

+ - - + + -

Implement the following additional monitoring of privileged users: .

+

Implement the following additional monitoring of privileged users: .

Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.

 -

- of privileged users is implemented.

+

of privileged users is implemented.

 @@ -78170,39 +74213,34 @@ - -

additional monitoring to be implemented on individuals during probationary periods is defined;

- + +

additional monitoring to be implemented on individuals during probationary periods is defined;

+ - -

the probationary period of individuals is defined;

- + +

the probationary period of individuals is defined;

+ - - + + -

Implement the following additional monitoring of individuals during : .

+

Implement the following additional monitoring of individuals during : .

During probationary periods, employees do not have permanent employment status within organizations. Without such status or access to information that is resident on the system, additional monitoring can help identify any potentially malicious activity or inappropriate behavior.

 -

- of individuals is implemented during .

+

of individuals is implemented during .

 @@ -78245,47 +74283,41 @@ - -

authorization or approval processes for network services are defined;

- + +

authorization or approval processes for network services are defined;

+ - -

personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected);

- + +

personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected);

+ - - + + -

Detect network services that have not been authorized or approved by ; and

+

Detect network services that have not been authorized or approved by ; and

 -

- when detected.

+

when detected.

 @@ -78295,12 +74327,11 @@ -

network services that have not been authorized or approved by are detected;

+

network services that have not been authorized or approved by are detected;

 -

- is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.

+

is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.

 @@ -78349,40 +74380,35 @@ - -

host-based monitoring mechanisms to be implemented on system components are defined;

- + +

host-based monitoring mechanisms to be implemented on system components are defined;

+ - -

system components where host-based monitoring is to be implemented are defined;

- + +

system components where host-based monitoring is to be implemented are defined;

+ - - + + -

Implement the following host-based monitoring mechanisms at : .

+

Implement the following host-based monitoring mechanisms at : .

Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors.

 -

- are implemented on .

+

are implemented on .

 @@ -78427,31 +74453,27 @@ - -

sources that provide indicators of compromise are defined;

- + +

sources that provide indicators of compromise are defined;

+ - -

personnel or roles to whom indicators of compromise are to be distributed is/are defined;

- + +

personnel or roles to whom indicators of compromise are to be distributed is/are defined;

+ - - + + -

Discover, collect, and distribute to , indicators of compromise provided by .

+

Discover, collect, and distribute to , indicators of compromise provided by .

Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center.

@@ -78460,15 +74482,15 @@ -

indicators of compromise provided by are discovered;

+

indicators of compromise provided by are discovered;

 -

indicators of compromise provided by are collected;

+

indicators of compromise provided by are collected;

 -

indicators of compromise provided by are distributed to .

+

indicators of compromise provided by are distributed to .

 @@ -78514,12 +74536,8 @@ - - + +

Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.

@@ -78585,61 +74603,49 @@ - -

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

- + +

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

+ - -

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

- + +

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

+ - + - -

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

- + +

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+ - -

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

- + +

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

+ - - + + @@ -78647,7 +74653,7 @@ -

Receive system security alerts, advisories, and directives from on an ongoing basis;

+

Receive system security alerts, advisories, and directives from on an ongoing basis;

 @@ -78655,7 +74661,7 @@ -

Disseminate security alerts, advisories, and directives to: ; and

+

Disseminate security alerts, advisories, and directives to: ; and

 @@ -78669,7 +74675,7 @@ -

system security alerts, advisories, and directives are received from on an ongoing basis;

+

system security alerts, advisories, and directives are received from on an ongoing basis;

 @@ -78677,7 +74683,7 @@ -

security alerts, advisories, and directives are disseminated to ;

+

security alerts, advisories, and directives are disseminated to ;

 @@ -78722,30 +74728,25 @@ - -

automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;

- + +

automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;

+ - - + + -

Broadcast security alert and advisory information throughout the organization using .

+

Broadcast security alert and advisory information throughout the organization using .

The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level.

 -

- are used to broadcast security alert and advisory information throughout the organization.

+

are used to broadcast security alert and advisory information throughout the organization.

 @@ -78787,64 +74788,56 @@ Security and Privacy Function Verification - - + + - -

security functions to be verified for correct operation are defined;

- + +

security functions to be verified for correct operation are defined;

+ - -

privacy functions to be verified for correct operation are defined;

- + +

privacy functions to be verified for correct operation are defined;

+ - -

system transitional states requiring the verification of security and privacy functions are defined; (if selected)

- + +

system transitional states requiring the verification of security and privacy functions are defined; (if selected)

+ - -

frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)

- + +

frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)

+ - -

personnel or roles to be alerted of failed security and privacy verification tests is/are defined;

- + +

personnel or roles to be alerted of failed security and privacy verification tests is/are defined;

+ @@ -78852,28 +74845,22 @@ - -

alternative action(s) to be performed when anomalies are discovered are defined (if selected);

- + +

alternative action(s) to be performed when anomalies are discovered are defined (if selected);

+ - - + + @@ -78882,20 +74869,19 @@ -

Verify the correct operation of ;

+

Verify the correct operation of ;

 -

Perform the verification of the functions specified in SI-6a ;

+

Perform the verification of the functions specified in SI-6a ;

 -

Alert to failed security and privacy verification tests; and

+

Alert to failed security and privacy verification tests; and

 -

- when anomalies are discovered.

+

when anomalies are discovered.

 @@ -78907,45 +74893,38 @@ -

- are verified to be operating correctly;

+

are verified to be operating correctly;

 -

- are verified to be operating correctly;

+

are verified to be operating correctly;

 -

- are verified ;

+

are verified ;

 -

- are verified ;

+

are verified ;

 -

- is/are alerted to failed security verification tests;

+

is/are alerted to failed security verification tests;

 -

- is/are alerted to failed privacy verification tests;

+

is/are alerted to failed privacy verification tests;

 -

- is/are initiated when anomalies are discovered.

+

is/are initiated when anomalies are discovered.

 @@ -78997,9 +74976,7 @@ - + @@ -79059,22 +75036,20 @@ - -

personnel or roles designated to receive the results of security and privacy function verification is/are defined;

- + +

personnel or roles designated to receive the results of security and privacy function verification is/are defined;

+ - + -

Report the results of security and privacy function verification to .

+

Report the results of security and privacy function verification to .

Organizational personnel with potential interest in the results of the verification of security and privacy functions include systems security officers, senior agency information security officers, and senior agency officials for privacy.

@@ -79083,11 +75058,11 @@ -

the results of security function verification are reported to ;

+

the results of security function verification are reported to ;

 -

the results of privacy function verification are reported to .

+

the results of privacy function verification are reported to .

 @@ -79128,83 +75103,65 @@ Software, Firmware, and Information Integrity - - - + + + - - - + + + - -

software requiring integrity verification tools to be employed to detect unauthorized changes is defined;

- + +

software requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+ - -

firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;

- + +

firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+ - -

information requiring integrity verification tools to be employed to detect unauthorized changes is defined;

- + +

information requiring integrity verification tools to be employed to detect unauthorized changes is defined;

+ - -

actions to be taken when unauthorized changes to software are detected are defined;

- + +

actions to be taken when unauthorized changes to software are detected are defined;

+ - -

actions to be taken when unauthorized changes to firmware are detected are defined;

- + +

actions to be taken when unauthorized changes to firmware are detected are defined;

+ - -

actions to be taken when unauthorized changes to information are detected are defined;

- + +

actions to be taken when unauthorized changes to information are detected are defined;

+ - - - + + + @@ -79238,11 +75195,11 @@ -

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

+

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

 -

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

+

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

 @@ -79254,33 +75211,30 @@ -

integrity verification tools are employed to detect unauthorized changes to ;

+

integrity verification tools are employed to detect unauthorized changes to ;

 -

integrity verification tools are employed to detect unauthorized changes to ;

+

integrity verification tools are employed to detect unauthorized changes to ;

 -

integrity verification tools are employed to detect unauthorized changes to ;

+

integrity verification tools are employed to detect unauthorized changes to ;

 -

- are taken when unauthorized changes to the software, are detected;

+

are taken when unauthorized changes to the software, are detected;

 -

- are taken when unauthorized changes to the firmware are detected;

+

are taken when unauthorized changes to the firmware are detected;

 -

- are taken when unauthorized changes to the information are detected.

+

are taken when unauthorized changes to the information are detected.

 @@ -79321,169 +75275,128 @@ Integrity Checks - - - + + + - - - + + + - - - + + + - - - + + + - -

software on which an integrity check is to be performed is defined;

- + +

software on which an integrity check is to be performed is defined;

+ - -

transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);

- + +

transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);

+ - -

frequency with which to perform an integrity check (on software) is defined (if selected);

- + +

frequency with which to perform an integrity check (on software) is defined (if selected);

+ - -

firmware on which an integrity check is to be performed is defined;

- + +

firmware on which an integrity check is to be performed is defined;

+ - -

transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);

- + +

transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);

+ - -

frequency with which to perform an integrity check (on firmware) is defined (if selected);

- + +

frequency with which to perform an integrity check (on firmware) is defined (if selected);

+ - -

information on which an integrity check is to be performed is defined;

- + +

information on which an integrity check is to be performed is defined;

+ - -

transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);

- + +

transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);

+ - -

frequency with which to perform an integrity check (of information) is defined (if selected);

- + +

frequency with which to perform an integrity check (of information) is defined (if selected);

+ - - + + -

Perform an integrity check of - .

+

Perform an integrity check of .

Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

@@ -79492,15 +75405,15 @@ -

an integrity check of is performed ;

+

an integrity check of is performed ;

 -

an integrity check of is performed ;

+

an integrity check of is performed ;

 -

an integrity check of is performed .

+

an integrity check of is performed .

 @@ -79542,29 +75455,25 @@ - -

personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;

- + +

personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;

+ - - + + -

Employ automated tools that provide notification to upon discovering discrepancies during integrity verification.

+

Employ automated tools that provide notification to upon discovering discrepancies during integrity verification.

The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers.

 -

automated tools that provide notification to upon discovering discrepancies during integrity verification are employed.

+

automated tools that provide notification to upon discovering discrepancies during integrity verification are employed.

 @@ -79610,12 +75519,8 @@ - - + + @@ -79677,38 +75582,32 @@ - -

controls to be implemented automatically when integrity violations are discovered are defined (if selected);

- + +

controls to be implemented automatically when integrity violations are discovered are defined (if selected);

+ - - + + -

Automatically when integrity violations are discovered.

+

Automatically when integrity violations are discovered.

Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur.

 -

- are automatically performed when integrity violations are discovered.

+

are automatically performed when integrity violations are discovered.

 @@ -79752,12 +75651,8 @@ - - + + @@ -79821,24 +75716,18 @@ Integration of Detection and Response - + - -

security-relevant changes to the system are defined;

- + +

security-relevant changes to the system are defined;

+ - - + + @@ -79846,14 +75735,14 @@ -

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

+

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.

 -

the detection of are incorporated into the organizational incident response capability.

+

the detection of are incorporated into the organizational incident response capability.

 @@ -79898,44 +75787,37 @@ - -

personnel or roles to be alerted upon the detection of a potential integrity violation is/are defined (if selected);

- + +

personnel or roles to be alerted upon the detection of a potential integrity violation is/are defined (if selected);

+ - -

other actions to be taken upon the detection of a potential integrity violation are defined (if selected);

- + +

other actions to be taken upon the detection of a potential integrity violation are defined (if selected);

+ - - + + -

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: .

+

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: .

Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations.

@@ -79948,8 +75830,7 @@ -

- is/are initiated upon the detection of a potential integrity violation.

+

is/are initiated upon the detection of a potential integrity violation.

 @@ -79997,30 +75878,26 @@ - -

system components requiring integrity verification of the boot process are defined;

- + +

system components requiring integrity verification of the boot process are defined;

+ - - + + -

Verify the integrity of the boot process of the following system components: .

+

Verify the integrity of the boot process of the following system components: .

Ensuring the integrity of boot processes is critical to starting system components in known, trustworthy states. Integrity verification mechanisms provide a level of assurance that only trusted code is executed during boot processes.

 -

the integrity of the boot process of is verified.

+

the integrity of the boot process of is verified.

 @@ -80063,39 +75940,34 @@ - -

mechanisms to be implemented to protect the integrity of boot firmware in system components are defined;

- + +

mechanisms to be implemented to protect the integrity of boot firmware in system components are defined;

+ - -

system components requiring mechanisms to protect the integrity of boot firmware are defined;

- + +

system components requiring mechanisms to protect the integrity of boot firmware are defined;

+ - - + + -

Implement the following mechanisms to protect the integrity of boot firmware in : .

+

Implement the following mechanisms to protect the integrity of boot firmware in : .

Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur if the firmware is corrupted or if the malicious code is embedded within the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of all updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware.

 -

- are implemented to protect the integrity of boot firmware in .

+

are implemented to protect the integrity of boot firmware in .

 @@ -80147,33 +76019,27 @@ - -

user-installed software requiring integrity verification prior to execution is defined;

- + +

user-installed software requiring integrity verification prior to execution is defined;

+ - - - + + + -

Require that the integrity of the following user-installed software be verified prior to execution: .

+

Require that the integrity of the following user-installed software be verified prior to execution: .

Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or programs that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity, including the availability of trustworthy checksums from software developers and vendors.

 -

the integrity of is verified prior to execution.

+

the integrity of is verified prior to execution.

 @@ -80229,32 +76095,28 @@ - -

software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;

- + +

software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;

+ - - + + -

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: .

+

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: .

Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.

 -

cryptographic mechanisms are implemented to authenticate prior to installation.

+

cryptographic mechanisms are implemented to authenticate prior to installation.

 @@ -80295,29 +76157,25 @@ - -

the maximum time period permitted for processes to execute without supervision is defined;

- + +

the maximum time period permitted for processes to execute without supervision is defined;

+ - - + + -

Prohibit processes from executing without supervision for more than .

+

Prohibit processes from executing without supervision for more than .

Placing a time limit on process execution without supervision is intended to apply to processes for which typical or normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes timers on operating systems, automated responses, and manual oversight and response when system process anomalies occur.

 -

processes are prohibited from executing without supervision for more than .

+

processes are prohibited from executing without supervision for more than .

 @@ -80358,34 +76216,27 @@ - -

controls to be implemented for application self-protection at runtime are defined;

- + +

controls to be implemented for application self-protection at runtime are defined;

+ - - - + + + -

Implement for application self-protection at runtime.

+

Implement for application self-protection at runtime.

Runtime application self-protection employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution. Runtime exploit prevention differs from traditional perimeter-based protections such as guards and firewalls which can only detect and block attacks by using network information without contextual awareness. Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs and blocking those inputs that could allow attacks. It can also help protect the runtime environment from unwanted changes and tampering. When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g., sending a warning message to the user, terminating the user's session, terminating the application, or sending an alert to organizational personnel). Runtime application self-protection solutions can be deployed in either a monitor or protection mode.

 -

- are implemented for application self-protection at runtime.

+

are implemented for application self-protection at runtime.

 @@ -80426,9 +76277,7 @@ - + @@ -80525,26 +76374,24 @@ - -

the frequency at which to automatically update spam protection mechanisms is defined;

- + +

the frequency at which to automatically update spam protection mechanisms is defined;

+ - + -

Automatically update spam protection mechanisms .

+

Automatically update spam protection mechanisms .

Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities.

 -

spam protection mechanisms are automatically updated .

+

spam protection mechanisms are automatically updated .

 @@ -80586,9 +76433,7 @@ - +

Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

@@ -80651,35 +76496,28 @@ - + - -

information inputs to the system requiring validity checks are defined;

- + +

information inputs to the system requiring validity checks are defined;

+ - - + + -

Check the validity of the following information inputs: .

+

Check the validity of the following information inputs: .

 -

Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, - abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

+

Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

 -

the validity of the is checked.

+

the validity of the is checked.

 @@ -80722,22 +76560,16 @@ - -

authorized individuals who can use the manual override capability are defined;

- + +

authorized individuals who can use the manual override capability are defined;

+ - - - + + + @@ -80745,11 +76577,11 @@ -

Provide a manual override capability for input validation of the following information inputs: ;

+

Provide a manual override capability for input validation of the following information inputs: ;

 -

Restrict the use of the manual override capability to only ; and

+

Restrict the use of the manual override capability to only ; and

 @@ -80763,11 +76595,11 @@ -

a manual override capability for the validation of is provided;

+

a manual override capability for the validation of is provided;

 -

the use of the manual override capability is restricted to only ;

+

the use of the manual override capability is restricted to only ;

 @@ -80813,40 +76645,32 @@ Review and Resolve Errors - - + + - -

the time period within which input validation errors are to be reviewed is defined;

- + +

the time period within which input validation errors are to be reviewed is defined;

+ - -

the time period within which input validation errors are to be resolved is defined;

- + +

the time period within which input validation errors are to be resolved is defined;

+ - - + + -

Review and resolve input validation errors within .

+

Review and resolve input validation errors within .

Resolution of input validation errors includes correcting systemic causes of errors and resubmitting transactions with corrected input. Input validation errors are those related to the information inputs defined by the organization in the base control ( SI-10).

@@ -80855,11 +76679,11 @@ -

input validation errors are reviewed within ;

+

input validation errors are reviewed within ;

 -

input validation errors are resolved within .

+

input validation errors are resolved within .

 @@ -80901,15 +76725,9 @@ - - - + + +

Verify that the system behaves in a predictable and documented manner when invalid inputs are received.

@@ -80965,12 +76783,8 @@ - - + +

Account for timing interactions among system components in determining appropriate responses for invalid inputs.

@@ -81021,39 +76835,35 @@ - -

trusted sources to which the use of information inputs is to be restricted are defined;

- + +

trusted sources to which the use of information inputs is to be restricted are defined;

+ - -

formats to which the use of information inputs is to be restricted are defined;

- + +

formats to which the use of information inputs is to be restricted are defined;

+ - - + + -

Restrict the use of information inputs to and/or .

+

Restrict the use of information inputs to and/or .

Restricting the use of inputs to trusted sources and in trusted formats applies the concept of authorized or permitted software to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. The information inputs are those defined by the organization in the base control ( SI-10).

 -

the use of information inputs is restricted to and/or .

+

the use of information inputs is restricted to and/or .

 @@ -81095,12 +76905,8 @@ - - + + @@ -81156,16 +76962,14 @@ - -

personnel or roles to whom error messages are to be revealed is/are defined;

- + +

personnel or roles to whom error messages are to be revealed is/are defined;

+ - + @@ -81178,7 +76982,7 @@ -

Reveal error messages only to .

+

Reveal error messages only to .

 @@ -81192,7 +76996,7 @@ -

error messages are revealed only to .

+

error messages are revealed only to .

 @@ -81235,9 +77039,7 @@ - + @@ -81275,7 +77077,7 @@

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

 -

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

+

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

 @@ -81341,27 +77143,25 @@ - -

elements of personally identifiable information being processed in the information life cycle are defined;

- + +

elements of personally identifiable information being processed in the information life cycle are defined;

+ - + -

Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: .

+

Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: .

Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.

 -

personally identifiable information being processed in the information life cycle is limited to .

+

personally identifiable information being processed in the information life cycle is limited to .

 @@ -81407,50 +77207,42 @@ Minimize Personally Identifiable Information in Testing, Training, and Research - - - + + + - -

techniques used to minimize the use of personally identifiable information for research are defined;

- + +

techniques used to minimize the use of personally identifiable information for research are defined;

+ - -

techniques used to minimize the use of personally identifiable information for testing are defined;

- + +

techniques used to minimize the use of personally identifiable information for testing are defined;

+ - -

techniques used to minimize the use of personally identifiable information for training are defined;

- + +

techniques used to minimize the use of personally identifiable information for training are defined;

+ - + -

Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: .

+

Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: .

Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them.

@@ -81459,18 +77251,15 @@ -

- are used to minimize the use of personally identifiable information for research;

+

are used to minimize the use of personally identifiable information for research;

 -

- are used to minimize the use of personally identifiable information for testing;

+

are used to minimize the use of personally identifiable information for testing;

 -

- are used to minimize the use of personally identifiable information for training.

+

are used to minimize the use of personally identifiable information for training.

 @@ -81516,47 +77305,39 @@ Information Disposal - - - + + + - -

techniques used to dispose of information following the retention period are defined;

- + +

techniques used to dispose of information following the retention period are defined;

+ - -

techniques used to destroy information following the retention period are defined;

- + +

techniques used to destroy information following the retention period are defined;

+ - -

techniques used to erase information following the retention period are defined;

- + +

techniques used to erase information following the retention period are defined;

+ - + -

Use the following techniques to dispose of, destroy, or erase information following the retention period: .

+

Use the following techniques to dispose of, destroy, or erase information following the retention period: .

Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.

@@ -81565,18 +77346,15 @@ -

- are used to dispose of information following the retention period;

+

are used to dispose of information following the retention period;

 -

- are used to destroy information following the retention period;

+

are used to destroy information following the retention period;

 -

- are used to erase information following the retention period.

+

are used to erase information following the retention period.

 @@ -81627,30 +77405,24 @@ - -

system components for which mean time to failure (MTTF) should be determined are defined;

- + +

system components for which mean time to failure (MTTF) should be determined are defined;

+ - + - -

mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined;

- + +

mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined;

+ - - + + @@ -81661,11 +77433,11 @@ -

Determine mean time to failure (MTTF) for the following system components in specific environments of operation: ; and

+

Determine mean time to failure (MTTF) for the following system components in specific environments of operation: ; and

 -

Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: .

+

Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: .

 @@ -81675,11 +77447,11 @@ -

mean time to failure (MTTF) is determined for in specific environments of operation;

+

mean time to failure (MTTF) is determined for in specific environments of operation;

 -

substitute system components and a means to exchange active and standby components are provided in accordance with .

+

substitute system components and a means to exchange active and standby components are provided in accordance with .

 @@ -81720,29 +77492,25 @@ - -

the fraction or percentage of mean time to failure within which to transfer the responsibilities of a system component to a substitute component is defined;

- + +

the fraction or percentage of mean time to failure within which to transfer the responsibilities of a system component to a substitute component is defined;

+ - - + + -

Take system components out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

+

Take system components out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

Transferring primary system component responsibilities to other substitute components prior to primary component failure is important to reduce the risk of degraded or debilitated mission or business functions. Making such transfers based on a percentage of mean time to failure allows organizations to be proactive based on their risk tolerance. However, the premature replacement of system components can result in the increased cost of system operations.

 -

system components are taken out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

+

system components are taken out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

 @@ -81791,29 +77559,25 @@ - -

the percentage of the mean time to failure for transfers to be manually initiated is defined;

- + +

the percentage of the mean time to failure for transfers to be manually initiated is defined;

+ - - + + -

Manually initiate transfers between active and standby system components when the use of the active component reaches of the mean time to failure.

+

Manually initiate transfers between active and standby system components when the use of the active component reaches of the mean time to failure.

For example, if the MTTF for a system component is 100 days and the MTTF percentage defined by the organization is 90 percent, the manual transfer would occur after 90 days.

 -

transfers are initiated manually between active and standby system components when the use of the active component reaches of the mean time to failure.

+

transfers are initiated manually between active and standby system components when the use of the active component reaches of the mean time to failure.

 @@ -81853,61 +77617,51 @@ - -

time period for standby components to be installed is defined;

- + +

time period for standby components to be installed is defined;

+ - -

alarm to be activated when system component failures are detected is defined (if selected);

- + +

alarm to be activated when system component failures are detected is defined (if selected);

+ - -

action to be taken when system component failures are detected is defined (if selected);

- + +

action to be taken when system component failures are detected is defined (if selected);

+ - - - + + +

If system component failures are detected:

-

Ensure that the standby components are successfully and transparently installed within ; and

+

Ensure that the standby components are successfully and transparently installed within ; and

 -

- .

+

.

 @@ -81917,12 +77671,11 @@ -

the standby components are successfully and transparently installed within if system component failures are detected;

+

the standby components are successfully and transparently installed within if system component failures are detected;

 -

- are performed if system component failures are detected.

+

are performed if system component failures are detected.

 @@ -81974,35 +77727,28 @@ - -

a failover capability for the system has been defined;

- + +

a failover capability for the system has been defined;

+ - - + + -

Provide - for the system.

+

Provide for the system.

Failover refers to the automatic switchover to an alternate system upon the failure of the primary system. Failover capability includes incorporating mirrored system operations at alternate processing sites or periodic data mirroring at regular intervals defined by the recovery time periods of organizations.

 -

- - is provided for the system.

+

is provided for the system.

 @@ -82045,42 +77791,36 @@ - -

non-persistent system components and services to be implemented are defined;

- + +

non-persistent system components and services to be implemented are defined;

+ - -

the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected);

- + +

the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected);

+ - - + + -

Implement non-persistent that are initiated in a known state and terminated .

+

Implement non-persistent that are initiated in a known state and terminated .

Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems.

@@ -82090,11 +77830,11 @@ -

non-persistent that are initiated in a known state are implemented;

+

non-persistent that are initiated in a known state are implemented;

 -

non-persistent are terminated .

+

non-persistent are terminated .

 @@ -82134,29 +77874,25 @@ - -

trusted sources to obtain software and data for system component and service refreshes are defined;

- + +

trusted sources to obtain software and data for system component and service refreshes are defined;

+ - - + + -

Obtain software and data employed during system component and service refreshes from the following trusted sources: .

+

Obtain software and data employed during system component and service refreshes from the following trusted sources: .

Trusted sources include software and data from write-once, read-only media or from selected offline secure storage facilities.

 -

the software and data employed during system component and service refreshes are obtained from .

+

the software and data employed during system component and service refreshes are obtained from .

 @@ -82195,9 +77931,7 @@ @@ -82205,41 +77939,36 @@ - -

the information to be refreshed is defined (if selected);

- + +

the information to be refreshed is defined (if selected);

+ - -

the frequency at which to refresh information is defined (if selected);

- + +

the frequency at which to refresh information is defined (if selected);

+ - -

the information to be generated is defined (if selected);

- + +

the information to be generated is defined (if selected);

+ - - + + -

- ; and

+

; and

 @@ -82253,8 +77982,7 @@ -

- is performed;

+

is performed;

 @@ -82305,16 +78033,12 @@ - - + + -

Establish connections to the system on demand and terminate connections after .

+

Establish connections to the system on demand and terminate connections after .

Persistent connections to systems can provide advanced adversaries with paths to move laterally through systems and potentially position themselves closer to high value assets. Limiting the availability of such connections impedes the adversary’s ability to move freely through organizational systems.

@@ -82327,7 +78051,7 @@ -

connections to the system are terminated after .

+

connections to the system are terminated after .

 @@ -82368,31 +78092,27 @@ - -

software programs and/or applications whose information output requires validation are defined;

- + +

software programs and/or applications whose information output requires validation are defined;

+ - - + + -

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: .

+

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: .

Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered.

 -

information output from is validated to ensure that the information is consistent with the expected content.

+

information output from is validated to ensure that the information is consistent with the expected content.

 @@ -82433,32 +78153,27 @@ - -

controls to be implemented to protect the system memory from unauthorized code execution are defined;

- + +

controls to be implemented to protect the system memory from unauthorized code execution are defined;

+ - - + + -

Implement the following controls to protect the system memory from unauthorized code execution: .

+

Implement the following controls to protect the system memory from unauthorized code execution: .

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

 -

- are implemented to protect the system memory from unauthorized code execution.

+

are implemented to protect the system memory from unauthorized code execution.

 @@ -82496,51 +78211,42 @@ Fail-safe Procedures - - + + - -

fail-safe procedures associated with failure conditions are defined;

- + +

fail-safe procedures associated with failure conditions are defined;

+ - -

a list of failure conditions requiring fail-safe procedures is defined;

- + +

a list of failure conditions requiring fail-safe procedures is defined;

+ - - + + -

Implement the indicated fail-safe procedures when the indicated failures occur: .

+

Implement the indicated fail-safe procedures when the indicated failures occur: .

Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. Subsequent steps may include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel.

 -

- are implemented when occur.

+

are implemented when occur.

 @@ -82579,57 +78285,45 @@ Personally Identifiable Information Quality Operations - - - - + + + + - -

the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;

- + +

the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;

+ - -

the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;

- + +

the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;

+ - -

the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;

- + +

the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;

+ - -

the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;

- + +

the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;

+ - - + + @@ -82640,7 +78334,7 @@ -

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle ; and

+

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle ; and

 @@ -82656,19 +78350,19 @@ -

the accuracy of personally identifiable information across the information life cycle is checked ;

+

the accuracy of personally identifiable information across the information life cycle is checked ;

 -

the relevance of personally identifiable information across the information life cycle is checked ;

+

the relevance of personally identifiable information across the information life cycle is checked ;

 -

the timeliness of personally identifiable information across the information life cycle is checked ;

+

the timeliness of personally identifiable information across the information life cycle is checked ;

 -

the completeness of personally identifiable information across the information life cycle is checked ;

+

the completeness of personally identifiable information across the information life cycle is checked ;

 @@ -82718,24 +78412,20 @@ - -

automated mechanisms used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified are defined;

- + +

automated mechanisms used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified are defined;

+ - - + + -

Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using .

+

Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using .

The use of automated mechanisms to improve data quality may inadvertently create privacy risks. Automated tools may connect to external or otherwise unrelated systems, and the matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessments and make determinations that are in alignment with their privacy program plans.

@@ -82743,8 +78433,7 @@ -

- are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.

+

are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.

 @@ -82787,12 +78476,8 @@ - - + + @@ -82847,12 +78532,8 @@ - - + +

Collect personally identifiable information directly from the individual.

@@ -82903,12 +78584,8 @@ - - + +

Correct or delete personally identifiable information upon request by individuals or their designated representatives.

@@ -82959,35 +78636,28 @@ Notice of Correction or Deletion - + - -

recipients of personally identifiable information to be notified when the personally identifiable information has been corrected or deleted are defined;

- + +

recipients of personally identifiable information to be notified when the personally identifiable information has been corrected or deleted are defined;

+ - - + + -

Notify and individuals that the personally identifiable information has been corrected or deleted.

+

Notify and individuals that the personally identifiable information has been corrected or deleted.

When personally identifiable information is corrected or deleted, organizations take steps to ensure that all authorized recipients of such information, and the individual with whom the information is associated or their designated representatives, are informed of the corrected or deleted information.

 -

- and individuals are notified when the personally identifiable information has been corrected or deleted.

+

and individuals are notified when the personally identifiable information has been corrected or deleted.

 @@ -83029,32 +78699,26 @@ De-identification - + - -

elements of personally identifiable information to be removed from datasets are defined;

- + +

elements of personally identifiable information to be removed from datasets are defined;

+ - -

the frequency at which to evaluate the effectiveness of de-identification is defined;

- + +

the frequency at which to evaluate the effectiveness of de-identification is defined;

+ - - + + @@ -83066,11 +78730,11 @@ -

Remove the following elements of personally identifiable information from datasets: ; and

+

Remove the following elements of personally identifiable information from datasets: ; and

 -

Evaluate for effectiveness of de-identification.

+

Evaluate for effectiveness of de-identification.

 @@ -83080,12 +78744,11 @@ -

- are removed from datasets;

+

are removed from datasets;

 -

the effectiveness of de-identification is evaluated .

+

the effectiveness of de-identification is evaluated .

 @@ -83126,12 +78789,8 @@ - - + +

De-identify the dataset upon collection by not collecting personally identifiable information.

@@ -83182,12 +78841,8 @@ - - + +

Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.

@@ -83238,12 +78893,8 @@ - - + +

Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.

@@ -83294,9 +78945,7 @@ - + @@ -83304,8 +78953,7 @@

Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.

 -

There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, such as XXXXXX or 999999. Identifiers can be encrypted or hashed so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming George Washington to PATIENT or replacing it with a surrogate value, such as transforming George Washington to Abraham Polk. -

+

There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, such as XXXXXX or 999999. Identifiers can be encrypted or hashed so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming George Washington to PATIENT or replacing it with a surrogate value, such as transforming George Washington to Abraham Polk.

@@ -83350,12 +78998,8 @@ - - + +

Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.

@@ -83418,12 +79062,8 @@ - - + + @@ -83477,9 +79117,7 @@ - +

Perform de-identification using validated algorithms and software that is validated to implement the algorithms.

@@ -83537,12 +79175,8 @@ - - + +

Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.

@@ -83595,34 +79229,28 @@ - -

the systems or system components with data or capabilities to be embedded are defined;

- + +

the systems or system components with data or capabilities to be embedded are defined;

+ - - - + + + -

Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: .

+

Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: .

 -

Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to call home, thereby alerting the organization to its capture, and possibly its location, and the path by which it was exfiltrated or removed.

+

Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to call home, thereby alerting the organization to its capture, and possibly its location, and the path by which it was exfiltrated or removed.

 -

data or capabilities are embedded in to determine if organizational data has been exfiltrated or improperly removed from the organization.

+

data or capabilities are embedded in to determine if organizational data has been exfiltrated or improperly removed from the organization.

 @@ -83665,42 +79293,36 @@ - -

the information to be refreshed is defined;

- + +

the information to be refreshed is defined;

+ - -

the frequencies at which to refresh information are defined;

- + +

the frequencies at which to refresh information are defined;

+ - - - + + + -

Refresh at or generate the information on demand and delete the information when no longer needed.

+

Refresh at or generate the information on demand and delete the information when no longer needed.

Retaining information for longer than it is needed makes it an increasingly valuable and enticing target for adversaries. Keeping information available for the minimum period of time needed to support organizational missions or business functions reduces the opportunity for adversaries to compromise, capture, and exfiltrate that information.

 -

the is refreshed or is generated on demand and deleted when no longer needed.

+

the is refreshed or is generated on demand and deleted when no longer needed.

 @@ -83744,47 +79366,41 @@ - -

alternative information sources for essential functions and services are defined;

- + +

alternative information sources for essential functions and services are defined;

+ - -

essential functions and services that require alternative sources of information are defined;

- + +

essential functions and services that require alternative sources of information are defined;

+ - -

systems or system components that require an alternative information source for the execution of essential functions or services are defined;

- + +

systems or system components that require an alternative information source for the execution of essential functions or services are defined;

+ - - - + + + -

Identify the following alternative sources of information for : ; and

+

Identify the following alternative sources of information for : ; and

 -

Use an alternative information source for the execution of essential functions or services on when the primary source of information is corrupted or unavailable.

+

Use an alternative information source for the execution of essential functions or services on when the primary source of information is corrupted or unavailable.

 @@ -83794,12 +79410,11 @@ -

- for are identified;

+

for are identified;

 -

an alternative information source is used for the execution of essential functions or services on when the primary source of information is corrupted or unavailable.

+

an alternative information source is used for the execution of essential functions or services on when the primary source of information is corrupted or unavailable.

 @@ -83840,48 +79455,42 @@ - -

circumstances that require information fragmentation are defined;

- + +

circumstances that require information fragmentation are defined;

+ - -

the information to be fragmented is defined;

- + +

the information to be fragmented is defined;

+ - -

systems or system components across which the fragmented information is to be distributed are defined;

- + +

systems or system components across which the fragmented information is to be distributed are defined;

+ - - - + + + -

Based on :

+

Based on :

-

Fragment the following information: ; and

+

Fragment the following information: ; and

 -

Distribute the fragmented information across the following systems or system components: .

+

Distribute the fragmented information across the following systems or system components: .

 @@ -83891,11 +79500,11 @@ -

under , is fragmented;

+

under , is fragmented;

 -

under , the fragmented information is distributed across .

+

under , the fragmented information is distributed across .

 @@ -83943,27 +79552,23 @@ Policy and Procedures - - + + - -

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

- + +

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

+ - -

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

- + +

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

+ @@ -83978,51 +79583,47 @@ - -

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

- + +

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

+ - -

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

- + +

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

+ - -

events that require the current supply chain risk management policy to be reviewed and updated are defined;

- + +

events that require the current supply chain risk management policy to be reviewed and updated are defined;

+ - -

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

- + +

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

+ - -

events that require the supply chain risk management procedures to be reviewed and updated are defined;

- + +

events that require the supply chain risk management procedures to be reviewed and updated are defined;

+ - - + + @@ -84039,11 +79640,10 @@ -

Develop, document, and disseminate to :

+

Develop, document, and disseminate to :

-

- supply chain risk management policy that:

+

supply chain risk management policy that:

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

@@ -84060,18 +79660,18 @@ -

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

+

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

Review and update the current supply chain risk management:

-

Policy and following ; and

+

Policy and following ; and

 -

Procedures and following .

+

Procedures and following .

 @@ -84088,7 +79688,7 @@ -

the supply chain risk management policy is disseminated to ;

+

the supply chain risk management policy is disseminated to ;

 @@ -84096,7 +79696,7 @@ -

the supply chain risk management procedures are disseminated to .

+

the supply chain risk management procedures are disseminated to .

 @@ -84104,43 +79704,42 @@ -

the supply chain risk management policy addresses purpose;

+

the supply chain risk management policy addresses purpose;

 -

the supply chain risk management policy addresses scope;

+

the supply chain risk management policy addresses scope;

-

- supply chain risk management policy addresses roles;

+

supply chain risk management policy addresses roles;

 -

the supply chain risk management policy addresses responsibilities;

+

the supply chain risk management policy addresses responsibilities;

 -

the supply chain risk management policy addresses management commitment;

+

the supply chain risk management policy addresses management commitment;

 -

the supply chain risk management policy addresses coordination among organizational entities;

+

the supply chain risk management policy addresses coordination among organizational entities;

 -

the supply chain risk management policy addresses compliance.

+

the supply chain risk management policy addresses compliance.

 -

the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

+

the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

 -

the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

+

the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

 @@ -84148,22 +79747,22 @@ -

the current supply chain risk management policy is reviewed and updated ;

+

the current supply chain risk management policy is reviewed and updated ;

 -

the current supply chain risk management policy is reviewed and updated following ;

+

the current supply chain risk management policy is reviewed and updated following ;

 -

the current supply chain risk management procedures are reviewed and updated ;

+

the current supply chain risk management procedures are reviewed and updated ;

 -

the current supply chain risk management procedures are reviewed and updated following .

+

the current supply chain risk management procedures are reviewed and updated following .

 @@ -84196,27 +79795,23 @@ - -

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

- + +

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

+ - -

the frequency at which to review and update the supply chain risk management plan is defined;

- + +

the frequency at which to review and update the supply chain risk management plan is defined;

+ - - + + @@ -84244,11 +79839,11 @@ -

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

+

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

 -

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

+

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

 @@ -84257,7 +79852,7 @@

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

-

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

+

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

 @@ -84269,40 +79864,40 @@ -

the supply chain risk management plan addresses risks associated with the research and development of ;

+

the supply chain risk management plan addresses risks associated with the research and development of ;

 -

the supply chain risk management plan addresses risks associated with the design of ;

+

the supply chain risk management plan addresses risks associated with the design of ;

 -

the supply chain risk management plan addresses risks associated with the manufacturing of ;

+

the supply chain risk management plan addresses risks associated with the manufacturing of ;

 -

the supply chain risk management plan addresses risks associated with the acquisition of ;

+

the supply chain risk management plan addresses risks associated with the acquisition of ;

 -

the supply chain risk management plan addresses risks associated with the delivery of ;

+

the supply chain risk management plan addresses risks associated with the delivery of ;

 -

the supply chain risk management plan addresses risks associated with the integration of ;

+

the supply chain risk management plan addresses risks associated with the integration of ;

 -

the supply chain risk management plan addresses risks associated with the operation and maintenance of ;

+

the supply chain risk management plan addresses risks associated with the operation and maintenance of ;

 -

the supply chain risk management plan addresses risks associated with the disposal of ;

+

the supply chain risk management plan addresses risks associated with the disposal of ;

 -

the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes;

+

the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes;

 @@ -84365,42 +79960,36 @@ Establish SCRM Team - + - -

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

- + +

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

+ - -

supply chain risk management activities are defined;

- + +

supply chain risk management activities are defined;

+ - - + + -

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

+

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

 -

a supply chain risk management team consisting of is established to lead and support .

+

a supply chain risk management team consisting of is established to lead and support .

 @@ -84437,25 +80026,25 @@ - -

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

- + +

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

+ - -

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

- + +

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

+ - -

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

- + +

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

+ @@ -84463,31 +80052,23 @@ - -

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

- + +

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

+ - - - + + + @@ -84521,15 +80102,15 @@ -

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

+

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

 -

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

+

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

 -

Document the selected and implemented supply chain processes and controls in .

+

Document the selected and implemented supply chain processes and controls in .

 @@ -84541,21 +80122,20 @@ -

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ;

+

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ;

 -

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ;

+

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ;

 -

- are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

+

are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

 -

the selected and implemented supply chain processes and controls are documented in .

+

the selected and implemented supply chain processes and controls are documented in .

 @@ -84599,40 +80179,32 @@ Diverse Supply Base - - + + - -

system components with a diverse set of sources are defined;

- + +

system components with a diverse set of sources are defined;

+ - -

services with a diverse set of sources are defined;

- + +

services with a diverse set of sources are defined;

+ - - + + -

Employ a diverse set of sources for the following system components and services: .

+

Employ a diverse set of sources for the following system components and services: .

Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations consider designing the system to include diverse materials and components.

@@ -84641,11 +80213,11 @@ -

a diverse set of sources is employed for ;

+

a diverse set of sources is employed for ;

 -

a diverse set of sources is employed for .

+

a diverse set of sources is employed for .

 @@ -84689,30 +80261,25 @@ - -

controls to limit harm from potential supply chain adversaries are defined;

- + +

controls to limit harm from potential supply chain adversaries are defined;

+ - - + + -

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: .

+

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: .

Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery.

 -

- are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.

+

are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.

 @@ -84761,12 +80328,8 @@ - - + + @@ -84774,7 +80337,7 @@

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

 -

To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the flow down of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in SR-3b.

+

To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the flow down of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in SR-3b.

 @@ -84820,19 +80383,15 @@ - -

systems, system components, and associated data that require valid provenance are defined;

- + +

systems, system components, and associated data that require valid provenance are defined;

+ - - + + @@ -84851,24 +80410,24 @@ -

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: .

+

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: .

 -

Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-1 ) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.

+

Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-1 ) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.

 -

valid provenance is documented for ;

+

valid provenance is documented for ;

 -

valid provenance is monitored for ;

+

valid provenance is monitored for ;

 -

valid provenance is maintained for .

+

valid provenance is maintained for .

 @@ -84910,30 +80469,24 @@ Identity - + - -

supply chain elements, processes, and personnel associated with systems and critical system components that require unique identification are defined;

- + +

supply chain elements, processes, and personnel associated with systems and critical system components that require unique identification are defined;

+ - - + + -

Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: .

+

Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: .

Knowing who and what is in the supply chains of organizations is critical to gaining visibility into supply chain activities. Visibility into supply chain activities is also important for monitoring and identifying high-risk events and activities. Without reasonable visibility into supply chains elements, processes, and personnel, it is very difficult for organizations to understand and manage risk and reduce their susceptibility to adverse events. Supply chain elements include organizations, entities, or tools used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include development processes for hardware, software, and firmware; shipping and handling procedures; configuration management tools, techniques, and measures to maintain provenance; personnel and physical security programs; or other programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain personnel are individuals with specific roles and responsibilities related to the secure the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of a system or system component. Identification methods are sufficient to support an investigation in case of a supply chain change (e.g. if a supply company is purchased), compromise, or event.

@@ -84942,11 +80495,11 @@ -

unique identification of is established;

+

unique identification of is established;

 -

unique identification of is maintained.

+

unique identification of is maintained.

 @@ -84988,26 +80541,22 @@ - -

systems and critical system components that require unique identification for tracking through the supply chain are defined;

- + +

systems and critical system components that require unique identification for tracking through the supply chain are defined;

+ - - + + -

Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: .

+

Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: .

Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event.

@@ -85016,11 +80565,11 @@ -

the unique identification of is established for tracking through the supply chain;

+

the unique identification of is established for tracking through the supply chain;

 -

the unique identification of is maintained for tracking through the supply chain.

+

the unique identification of is maintained for tracking through the supply chain.

 @@ -85059,44 +80608,36 @@ Validate as Genuine and Not Altered - - + + - -

controls to validate that the system or system component received is genuine are defined;

- + +

controls to validate that the system or system component received is genuine are defined;

+ - -

controls to validate that the system or system component received has not been altered are defined;

- + +

controls to validate that the system or system component received has not been altered are defined;

+ - - + + -

Employ the following controls to validate that the system or system component received is genuine and has not been altered: .

+

Employ the following controls to validate that the system or system component received is genuine and has not been altered: .

For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging, physically unclonable functions, side-channel analysis, cryptographic hash verifications or digital signatures, and visible anti-tamper labels or stickers. Controls can also include monitoring for out of specification performance, which can be an indicator of tampering or counterfeits. Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, such as inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries.

@@ -85105,13 +80646,11 @@ -

- are employed to validate that the system or system component received is genuine;

+

are employed to validate that the system or system component received is genuine;

 -

- are employed to validate that the system or system component received has not been altered.

+

are employed to validate that the system or system component received has not been altered.

 @@ -85159,32 +80698,28 @@ - -

controls employed to ensure that the integrity of the system and system component are defined;

- + +

controls employed to ensure that the integrity of the system and system component are defined;

+ - -

an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined;

- + +

an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined;

+ - - + + -

Employ and conduct to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

+

Employ and conduct to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services. Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself.

@@ -85193,13 +80728,11 @@ -

- are employed to ensure the integrity of the system and system components;

+

are employed to ensure the integrity of the system and system components;

 -

- is conducted to ensure the integrity of the system and system components.

+

is conducted to ensure the integrity of the system and system components.

 @@ -85242,24 +80775,18 @@ Acquisition Strategies, Tools, and Methods - + - -

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

- + +

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

+ - - + + @@ -85283,7 +80810,7 @@ -

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

+

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

@@ -85292,18 +80819,15 @@ -

- are employed to protect against supply chain risks;

+

are employed to protect against supply chain risks;

 -

- are employed to identify supply chain risks;

+

are employed to identify supply chain risks;

 -

- are employed to mitigate supply chain risks.

+

are employed to mitigate supply chain risks.

 @@ -85350,39 +80874,34 @@ - -

controls to ensure an adequate supply of critical system components are defined;

- + +

controls to ensure an adequate supply of critical system components are defined;

+ - -

critical system components of which an adequate supply is required are defined;

- + +

critical system components of which an adequate supply is required are defined;

+ - - + + -

Employ the following controls to ensure an adequate supply of : .

+

Employ the following controls to ensure an adequate supply of : .

Adversaries can attempt to impede organizational operations by disrupting the supply of critical system components or corrupting supplier operations. Organizations may track systems and component mean time to failure to mitigate the loss of temporary or permanent system function. Controls to ensure that adequate supplies of critical system components include the use of multiple suppliers throughout the supply chain for the identified critical components, stockpiling spare components to ensure operation during mission-critical times, and the identification of functionally identical or similar components that may be used, if necessary.

 -

- are employed to ensure an adequate supply of .

+

are employed to ensure an adequate supply of .

 @@ -85430,12 +80949,8 @@ - - + + @@ -85445,7 +80960,7 @@

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

 -

Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1) ). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.

+

Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1) ). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.

 @@ -85507,19 +81022,15 @@ - -

the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;

- + +

the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;

+ - - + + @@ -85536,14 +81047,14 @@ -

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

+

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

 -

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed .

+

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed .

 @@ -85593,32 +81104,27 @@ - -

supply chain elements, processes, and actors to be analyzed and tested are defined;

- + +

supply chain elements, processes, and actors to be analyzed and tested are defined;

+ - - + + -

Employ of the following supply chain elements, processes, and actors associated with the system, system component, or system service: .

+

Employ of the following supply chain elements, processes, and actors associated with the system, system component, or system service: .

Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services. Supply chain processes include supply chain risk management programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.

 -

- is/are employed on associated with the system, system component, or system service.

+

is/are employed on associated with the system, system component, or system service.

 @@ -85658,24 +81164,18 @@ Supply Chain Operations Security - + - -

Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined;

- + +

Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined;

+ - - + + @@ -85683,15 +81183,14 @@ -

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: .

+

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: .

Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.

 -

- are employed to protect supply chain-related information for the system, system component, or system service.

+

are employed to protect supply chain-related information for the system, system component, or system service.

 @@ -85738,9 +81237,7 @@ @@ -85748,19 +81245,15 @@ - -

information for which agreements and procedures are to be established are defined (if selected);

- + +

information for which agreements and procedures are to be established are defined (if selected);

+ - - + + @@ -85772,14 +81265,14 @@ -

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

+

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

 -

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for .

+

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for .

 @@ -85819,12 +81312,8 @@ - - + + @@ -85887,12 +81376,8 @@ - - + + @@ -85953,46 +81438,40 @@ - -

systems or system components that require inspection are defined;

- + +

systems or system components that require inspection are defined;

+ - -

frequency at which to inspect systems or system components is defined (if selected);

- + +

frequency at which to inspect systems or system components is defined (if selected);

+ - -

indications of the need for an inspection of systems or system components are defined (if selected);

- + +

indications of the need for an inspection of systems or system components are defined (if selected);

+ - - + + @@ -86004,15 +81483,14 @@ -

Inspect the following systems or system components to detect tampering: .

+

Inspect the following systems or system components to detect tampering: .

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

 -

- are inspected to detect tampering.

+

are inspected to detect tampering.

 @@ -86057,39 +81535,31 @@ - -

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

- + +

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

+ - -

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

- + +

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

+ - - + + @@ -86103,7 +81573,7 @@ -

Report counterfeit system components to .

+

Report counterfeit system components to .

 @@ -86132,7 +81602,7 @@ -

counterfeit system components are reported to .

+

counterfeit system components are reported to .

 @@ -86181,31 +81651,26 @@ - -

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

- + +

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

+ - - + + -

Train to detect counterfeit system components (including hardware, software, and firmware).

+

Train to detect counterfeit system components (including hardware, software, and firmware).

None.

 -

- are trained to detect counterfeit system components (including hardware, software, and firmware).

+

are trained to detect counterfeit system components (including hardware, software, and firmware).

 @@ -86248,26 +81713,22 @@ - -

system components requiring configuration control are defined;

- + +

system components requiring configuration control are defined;

+ - - + + -

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

+

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

None.

@@ -86276,11 +81737,11 @@ -

configuration control over awaiting service or repair is maintained;

+

configuration control over awaiting service or repair is maintained;

 -

configuration control over serviced or repaired awaiting return to service is maintained.

+

configuration control over serviced or repaired awaiting return to service is maintained.

 @@ -86322,30 +81783,26 @@ - -

the frequency at which to scan for counterfeit system components is defined;

- + +

the frequency at which to scan for counterfeit system components is defined;

+ - - + + -

Scan for counterfeit system components .

+

Scan for counterfeit system components .

The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).

 -

scanning for counterfeit system components is conducted .

+

scanning for counterfeit system components is conducted .

 @@ -86392,38 +81849,33 @@ - -

data, documentation, tools, or system components to be disposed of are defined;

- + +

data, documentation, tools, or system components to be disposed of are defined;

+ - -

techniques and methods for disposing of data, documentation, tools, or system components are defined;

- + +

techniques and methods for disposing of data, documentation, tools, or system components are defined;

+ - - + + -

Dispose of using the following techniques and methods: .

+

Dispose of using the following techniques and methods: .

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

 -

- are disposed of using .

+

are disposed of using .

 @@ -86464,22 +81916,21 @@ 32 CFR 2002 - Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). + Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). 41 CFR 201 - - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. + Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. 5 CFR 731 - Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). + Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). @@ -86500,70 +81951,70 @@ CNSSD 505 - Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. + Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. CNSSI 1253 - Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. + Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. CNSSI 4009 - Committee on National Security Systems Instruction No. 4009, Committee on National Security Systems (CNSS) Glossary , April 2015. + Committee on National Security Systems Instruction No. 4009, Committee on National Security Systems (CNSS) Glossary , April 2015. CNSSP 22 - Committee on National Security Systems Policy No. 22, Cybersecurity Risk Management Policy , August 2016. + Committee on National Security Systems Policy No. 22, Cybersecurity Risk Management Policy , August 2016. DHS NIPP - Department of Homeland Security, National Infrastructure Protection Plan (NIPP) , 2009. + Department of Homeland Security, National Infrastructure Protection Plan (NIPP) , 2009. DHS TIC - Department of Homeland Security, Trusted Internet Connections (TIC). + Department of Homeland Security, Trusted Internet Connections (TIC). DOD STIG - Defense Information Systems Agency, Security Technical Implementation Guides (STIG). + Defense Information Systems Agency, Security Technical Implementation Guides (STIG). DODI 8510.01 - Department of Defense Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) , March 2014. + Department of Defense Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) , March 2014. DODTERMS - Department of Defense, Dictionary of Military and Associated Terms. + Department of Defense, Dictionary of Military and Associated Terms. DSB 2017 - Department of Defense, Defense Science Board, Task Force on Cyber Deterrence , February 2017. + Department of Defense, Defense Science Board, Task Force on Cyber Deterrence , February 2017. @@ -86577,42 +82028,42 @@ EO 13526 - Executive Order 13526, Classified National Security Information , December 2009. + Executive Order 13526, Classified National Security Information , December 2009. EO 13556 - Executive Order 13556, Controlled Unclassified Information , November 2010. + Executive Order 13556, Controlled Unclassified Information , November 2010. EO 13587 - Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. + Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. EO 13636 - Executive Order 13636, Improving Critical Infrastructure Cybersecurity , February 2013. + Executive Order 13636, Improving Critical Infrastructure Cybersecurity , February 2013. EO 13800 - Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017. + Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017. EO 13873 - Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. + Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. @@ -86633,7 +82084,7 @@ FED PKI - General Services Administration, Federal Public Key Infrastructure. + General Services Administration, Federal Public Key Infrastructure. @@ -86724,21 +82175,21 @@ HSPD 7 - Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection , December 2003. + Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection , December 2003. IETF 4949 - Internet Engineering Task Force (IETF), Request for Comments: 4949, Internet Security Glossary, Version 2 , August 2007. + Internet Engineering Task Force (IETF), Request for Comments: 4949, Internet Security Glossary, Version 2 , August 2007. IETF 5905 - Internet Engineering Task Force (IETF), Request for Comments: 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification , June 2010. + Internet Engineering Task Force (IETF), Request for Comments: 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification , June 2010. @@ -86892,84 +82343,84 @@ ISO 15026-1 - International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15026-1:2019, Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary , March 2019. + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15026-1:2019, Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary , March 2019. ISO 15288 - International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15288:2015, Systems and software engineering —Systems life cycle processes , May 2015. + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15288:2015, Systems and software engineering —Systems life cycle processes , May 2015. ISO 15408-1 - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. + International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. ISO 15408-2 - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. + International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. ISO 15408-3 - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. + International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. ISO 20243 - International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. + International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. ISO 25237 - International Organization for Standardization/International Electrotechnical Commission 25237:2017, Health informatics —Pseudonymization , January 2017. + International Organization for Standardization/International Electrotechnical Commission 25237:2017, Health informatics —Pseudonymization , January 2017. ISO 27036 - International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. + International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. ISO 29100 - International Organization for Standardization/International Electrotechnical Commission 29100:2011, Information technology—Security techniques—Privacy framework , December 2011. + International Organization for Standardization/International Electrotechnical Commission 29100:2011, Information technology—Security techniques—Privacy framework , December 2011. ISO 29147 - International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. + International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. ISO 29148 - International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. + International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. LAMPSON73 - B. W. Lampson, A Note on the Confinement Problem , Communications of the ACM 16, 10, pp. 613-615, October 1973. + B. W. Lampson, A Note on the Confinement Problem , Communications of the ACM 16, 10, pp. 613-615, October 1973. @@ -86982,36 +82433,35 @@ NCPR - National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at + National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at NEUM04 - - Principled Assuredly Trustworthy Composable Architectures , P. Neumann, CDRL A001 Final Report, SRI International, December 2004. + Principled Assuredly Trustworthy Composable Architectures , P. Neumann, CDRL A001 Final Report, SRI International, December 2004. NIAP CCEVS - National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. + National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. NIST CAVP - National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at + National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at NIST CMVP - National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at + National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at @@ -87032,28 +82482,28 @@ NITP12 - Presidential Memorandum for the Heads of Executive Departments and Agencies, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs , November 2012. + Presidential Memorandum for the Heads of Executive Departments and Agencies, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs , November 2012. NSA CSFC - National Security Agency, Commercial Solutions for Classified Program (CSfC). + National Security Agency, Commercial Solutions for Classified Program (CSfC). NSA MEDIA - National Security Agency, Media Destruction Guidance. + National Security Agency, Media Destruction Guidance. NVD 800-53 - National Institute of Standards and Technology (2020) National Vulnerability Database: NIST Special Publication 800-53 [database of controls]. Available at + National Institute of Standards and Technology (2020) National Vulnerability Database: NIST Special Publication 800-53 [database of controls]. Available at @@ -87067,86 +82517,84 @@ ODNI NITP - Office of the Director National Intelligence, National Insider Threat Policy - + Office of the Director National Intelligence, National Insider Threat Policy OMB A-108 - Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act , December 2016. + Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act , December 2016. OMB A-130 - Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. + Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. OMB M-03-22 - Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 , September 2003. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf - + Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 , September 2003. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf OMB M-08-05 - Office of Management and Budget Memorandum M-08-05, Implementation of Trusted Internet Connections (TIC) , November 2007. + Office of Management and Budget Memorandum M-08-05, Implementation of Trusted Internet Connections (TIC) , November 2007. OMB M-17-06 - Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services , November 2016. + Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services , November 2016. OMB M-17-12 - Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. + Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. OMB M-17-25 - Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017. + Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017. OMB M-19-03 - Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. + Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. OMB M-19-15 - Office of Management and Budget Memorandum M-19-15, Improving Implementation of the Information Quality Act , April 2019. + Office of Management and Budget Memorandum M-19-15, Improving Implementation of the Information Quality Act , April 2019. OMB M-19-23 - Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance , July 2019. + Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance , July 2019. POPEK74 - G. Popek, The Principle of Kernel Design , in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978. + G. Popek, The Principle of Kernel Design , in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978. @@ -87159,7 +82607,7 @@ SALTZER75 - J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems , in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308. + J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems , in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308. @@ -87263,7 +82711,7 @@ SP 800-137A - Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. + Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. @@ -87753,58 +83201,52 @@ USC 11101 - - Definitions, Title 40 U.S. Code, Sec. 11101. 2018 ed. + Definitions, Title 40 U.S. Code, Sec. 11101. 2018 ed. USC 2901 - United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. + United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. USC 3502 - - Definitions, Title 44 U.S. Code, Sec. 3502. 2011 ed. + Definitions, Title 44 U.S. Code, Sec. 3502. 2011 ed. USC 552 - United States Code, 2006 Edition, Supplement 4, Title 5 - Government Organization and Employees , January 2011. + United States Code, 2006 Edition, Supplement 4, Title 5 - Government Organization and Employees , January 2011. USCERT IR - Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. + Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. USGCB - National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at + National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at - NIST Special Publication 800-53, Revision 5: <em> Security and Privacy - Controls for Information Systems and Organizations</em> (PDF) - + NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (PDF) + - NIST Special Publication 800-53, Revision 5: <em> Security and Privacy - Controls for Information Systems and Organizations</em> (DOI link) - + NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (DOI link) + - + \ No newline at end of file diff --git a/src/nist.gov/SP800-53/rev5/xml/oscal-reformat.xsl b/src/nist.gov/SP800-53/rev5/xml/oscal-reformat.xsl new file mode 100644 index 00000000..ff894443 --- /dev/null +++ b/src/nist.gov/SP800-53/rev5/xml/oscal-reformat.xsl @@ -0,0 +1,126 @@ + + + + + + + + + + + + + + + + + + + + { current-dateTime() } + + + + { uuid:randomUUID() } + + + + + + + + + + + + + + + + + + + + + + + + { (: conditional LF :) ' '[$me/preceding-sibling::* => empty()] } + { (: indent :) (ancestor::* ! $indent-ws) => string-join('') } + + + + + + + + + + + + + + + + + + { (ancestor::* ! $indent-ws) => string-join('') } + + + + + + + + + + + + + + \ No newline at end of file