Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
2197 lines (2197 sloc) 188 KB
{
"standard": "FedRAMP",
"version": "(High) NIST 800-53r4",
"webLink": "https://www.fedramp.gov/assets/resources/documents/FedRAMP_Security_Controls_Baseline.xlsx",
"domains": [
{
"title": "ACCESS CONTROL",
"controls": [
{
"ref": "AC-1",
"title": "Access Control Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the access control policy and associated access controls; and\n b. Reviews and updates the current:\n 1. Access control policy **at least annually**; and\n 2. Access control procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "AC-2",
"title": "Account Management",
"summary": "The organization:\n a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];\n b. Assigns account managers for information system accounts;\n c. Establishes conditions for group and role membership;\n d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;\n e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;\n f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];\n g. Monitors the use of, information system accounts;\n h. Notifies account managers:\n 1. When accounts are no longer required;\n 2. When users are terminated or transferred; and\n 3. When individual information system usage or need-to-know changes;\n i. Authorizes access to the information system based on:\n 1. A valid access authorization;\n 2. Intended system usage; and\n 3. Other attributes as required by the organization or associated missions/business functions;\n j. Reviews accounts for compliance with account management requirements **monthly for privileged accessed, every six (6) months for non-privileged access**; and\n k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group."
},
{
"ref": "AC-2 (1)",
"title": "Account Management | Automated System Account Management",
"summary": "The organization employs automated mechanisms to support the management of information system accounts."
},
{
"ref": "AC-2 (2)",
"title": "Account Management | Removal of Temporary / Emergency Accounts",
"summary": "The information system automatically [Selection: removes; disables] temporary and emergency accounts after **Selection: disables**."
},
{
"ref": "AC-2 (3)",
"title": "Account Management | Disable Inactive Accounts",
"summary": "The information system automatically disables inactive accounts after **35 days for user accounts**."
},
{
"ref": "AC-2 (4)",
"title": "Account Management | Automated Audit Actions",
"summary": "The information system automatically audits account creation, modification, enabling, disabling, and removal actions, and notifies **organization and/or service provider system owner**."
},
{
"ref": "AC-2 (5)",
"title": "Account Management | Inactivity Logout",
"summary": "The organization requires that users log out when **inactivity is anticipated to exceed Fifteen (15) minutes**."
},
{
"ref": "AC-2 (7)",
"title": "Account Management | Role-Based Schemes",
"summary": "The organization:\n(a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles;\n(b) Monitors privileged role assignments; and\n(c) Takes [Assignment: organization-defined actions] when privileged role assignments are no longer appropriate."
},
{
"ref": "AC-2 (9)",
"title": "Account Management | Restrictions on Use of Shared Groups / Accounts",
"summary": "The organization only permits the use of shared/group accounts that meet **organization-defined need with justification statement that explains why such accounts are necessary**."
},
{
"ref": "AC-2 (10)",
"title": "Account Management | Shared / Group Account Credential Termination",
"summary": "The information system terminates shared/group account credentials when members leave the group."
},
{
"ref": "AC-2 (11)",
"title": "Account Management | Usage Conditions",
"summary": "The information system enforces [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined information system accounts]."
},
{
"ref": "AC-2 (12)",
"title": "Account Management | Account Monitoring / Atypical Usage",
"summary": "The organization:\n (a) Monitors information system accounts for [Assignment: organization-defined atypical use]; and\n (b) Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "AC-2 (13)",
"title": "Account Management | Disable Accounts for High-Risk Individuals",
"summary": "The organization disables accounts of users posing a significant risk within **one (1) hour** of discovery of the risk."
},
{
"ref": "AC-3",
"title": "Access Enforcement",
"summary": "The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies."
},
{
"ref": "AC-4",
"title": "Information Flow Enforcement",
"summary": "The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies]."
},
{
"ref": "AC-4 (8)",
"title": "Information Flow Enforcement | Security Policy Filters",
"summary": "The information system enforces information flow control using [Assignment: organization-defined security policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]."
},
{
"ref": "AC-4 (21)",
"title": "Information Flow Enforcement | Physical / Logical Separation of Information Flows",
"summary": "The information system separates information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization- defined required separations by types of information]."
},
{
"ref": "AC-5",
"title": "Separation of Duties",
"summary": "The organization:\n a. Separates [Assignment: organization-defined duties of individuals];\n b. Documents separation of duties of individuals; and\n c. Defines information system access authorizations to support separation of duties."
},
{
"ref": "AC-6",
"title": "Least Privilege",
"summary": "The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions."
},
{
"ref": "AC-6 (1)",
"title": "Least Privilege | Authorize Access To Security Functions",
"summary": "The organization explicitly authorizes access to **all functions not publicly accessible and all security-relevant information not publicly available**."
},
{
"ref": "AC-6 (2)",
"title": "Least Privilege | Non-Privileged Access for Nonsecurity Functions",
"summary": "The organization requires that users of information system accounts, or roles, with access to **all security functions**, use non- privileged accounts or roles, when accessing nonsecurity functions."
},
{
"ref": "AC-6 (3)",
"title": "Least Privilege | Network Access To Privileged Commands",
"summary": "The organization authorizes network access to **all privileged commands** only for [Assignment: organization-defined compelling operational needs] and documents the rationale for such access in the security plan for the information system."
},
{
"ref": "AC-6 (5)",
"title": "Least Privilege | Privileged Accounts",
"summary": "The organization restricts privileged accounts on the information system to [Assignment:\norganization-defined personnel or roles]."
},
{
"ref": "AC-6 (7)",
"title": "Least Privilege | Review of User Privileges",
"summary": "The organization:\n (a) Reviews [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and\n (b) Reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs."
},
{
"ref": "AC-6 (8)",
"title": "Least Privilege | Privilege Levels for Code Execution",
"summary": "The information system prevents **any software except software explicitly documented** from executing at higher privilege levels than users executing the software."
},
{
"ref": "AC-6 (9)",
"title": "Least Privilege | Auditing Use of Privileged Functions",
"summary": "The information system audits the execution of privileged functions."
},
{
"ref": "AC-6 (10)",
"title": "Least Privilege | Prohibit Non-Privileged Users From Executing Privileged Functions",
"summary": "The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
},
{
"ref": "AC-7",
"title": "Unsuccessful Logon Attempts",
"summary": "The information system:\n a. Enforces a limit of **not more than three (3)** consecutive invalid logon attempts by a user during a **fifteen (15) minutes**; and\n b. Automatically [Selection: locks the account/node for an **locks the account/node for a minimum of three (3) hours or until unlocked by an administrator**; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded."
},
{
"ref": "AC-7 (2)",
"title": "Unsuccessful Logon Attempts | Purge / Wipe Mobile Device",
"summary": "The information system purges/wipes information from **mobile devices as defined by organization policy** based on **three (3)** after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts."
},
{
"ref": "AC-8",
"title": "System Use Notification",
"summary": "The information system:\n a. Displays to users **see additional Requirements and Guidance** before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that:\n 1. Users are accessing a U.S. Government information system;\n 2. Information system usage may be monitored, recorded, and subject to audit;\n 3. Unauthorized use of the information system is prohibited and subject to criminal and civil penalties; and\n 4. Use of the information system indicates consent to monitoring and recording;\n b. Retains the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the information system; and \n c. For publicly accessible systems:\n 1. Displays system use information [Assignment: organization-defined conditions], before granting further access;\n 2. Displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and\n 3. Includes a description of the authorized uses of the system."
},
{
"ref": "AC-10",
"title": "Concurrent Session Control",
"summary": "The information system limits the number of concurrent sessions for each **three (3) sessions for privileged access and two (2) sessions for non-privileged access** to [Assignment: organization-defined number]."
},
{
"ref": "AC-11",
"title": "Session Lock",
"summary": "The information system:\n a. Prevents further access to the system by initiating a session lock after **fifteen (15) minutes** of inactivity or upon receiving a request from a user; and\n b. Retains the session lock until the user reestablishes access using established identification and authentication procedures."
},
{
"ref": "AC-11 (1)",
"title": "Session Lock | Pattern-Hiding Displays",
"summary": "The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image."
},
{
"ref": "AC-12",
"title": "Session Termination",
"summary": "The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]."
},
{
"ref": "AC-12 (1)",
"title": "Session Termination | User-Initiated Logouts / Message Displays",
"summary": "The information system:\n (a) Provides a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]; and\n (b) Displays an explicit logout message to users indicating the reliable termination of authenticated communications sessions."
},
{
"ref": "AC-14",
"title": "Permitted Actions Without Identification or Authentication",
"summary": "The organization:\n a. Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and\n b. Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication."
},
{
"ref": "AC-17",
"title": "Remote Access",
"summary": "The organization:\n a. Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and\n b. Authorizes remote access to the information system prior to allowing such connections."
},
{
"ref": "AC-17 (1)",
"title": "Remote Access | Automated Monitoring / Control",
"summary": "The information system monitors and controls remote access methods."
},
{
"ref": "AC-17 (2)",
"title": "Remote Access | Protection of Confidentiality / Integrity Using Encryption",
"summary": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions."
},
{
"ref": "AC-17 (3)",
"title": "Remote Access | Managed Access Control Points",
"summary": "The information system routes all remote accesses through [Assignment: organization-defined number] managed network access control points."
},
{
"ref": "AC-17 (4)",
"title": "Remote Access | Privileged Commands / Access",
"summary": "The organization:\n (a) Authorizes the execution of privileged commands and access to security-relevant information via remote access only for [Assignment: organization-defined needs]; and\n (b) Documents the rationale for such access in the security plan for the information system."
},
{
"ref": "AC-17 (9)",
"title": "Remote Access | Disconnect / Disable Access",
"summary": "The organization provides the capability to expeditiously disconnect or disable remote access to the information system within **fifteen (15) minutes**."
},
{
"ref": "AC-18",
"title": "Wireless Access",
"summary": "The organization:\n a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and\n b. Authorizes wireless access to the information system prior to allowing such connections."
},
{
"ref": "AC-18 (1)",
"title": "Wireless Access | Authentication and Encryption",
"summary": "The information system protects wireless access to the system using authentication of [Selection\n(one or more): users; devices] and encryption."
},
{
"ref": "AC-18 (3)",
"title": "Wireless Access | Disable Wireless Networking",
"summary": "The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment."
},
{
"ref": "AC-18 (4)",
"title": "Wireless Access | Restrict Configurations By Users",
"summary": "The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities."
},
{
"ref": "AC-18 (5)",
"title": "Wireless Access | Antennas / Transmission Power Levels",
"summary": "The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries."
},
{
"ref": "AC-19",
"title": "Access Control for Mobile Devices",
"summary": "The organization:\n a. Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and\n b. Authorizes the connection of mobile devices to organizational information systems."
},
{
"ref": "AC-19 (5)",
"title": "Access Control for Mobile Devices | Full Device / Container-Based Encryption",
"summary": "The organization employs [Selection: full-device encryption; container encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]."
},
{
"ref": "AC-20",
"title": "Use of External Information Systems",
"summary": "The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:\n a. Access the information system from external information systems; and\n b. Process, store, or transmit organization-controlled information using external information systems."
},
{
"ref": "AC-20 (1)",
"title": "Use of External Information Systems | Limits on Authorized Use",
"summary": "The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization:\n (a) Verifies the implementation of required security controls on the external system as specified in the organization’s information security policy and security plan; or\n (b) Retains approved information system connection or processing agreements with the organizational entity hosting the external information system."
},
{
"ref": "AC-20 (2)",
"title": "Use of External Information Systems | Portable Storage Devices",
"summary": "The organization [Selection: restricts; prohibits] the use of organization-controlled portable storage devices by authorized individuals on external information systems."
},
{
"ref": "AC-21",
"title": "Information Sharing",
"summary": "The organization:\na. Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and\nb. Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.\n \nSupplemental Guidance: This control applies to information that may be restricted in some manner (e.g., privileged medical information, contract-sensitive information, proprietary information, personally identifiable information, classified information related to special access programs or compartments) based on some formal or administrative determination. Depending on the particular information-sharing circumstances, sharing partners may be defined at the individual, group, or organizational level. Information may be defined by content, type, security category, or special access program/compartment."
},
{
"ref": "AC-22",
"title": "Publicly Accessible Content",
"summary": "The organization:\n a. Designates individuals authorized to post information onto a publicly accessible information system;\n b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;\n c. Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and\n d. Reviews the content on the publicly accessible information system for nonpublic information **at least quarterly** and removes such information, if discovered."
}
]
},
{
"title": "AWARENESS AND TRAINING",
"controls": [
{
"ref": "AT-1",
"title": "Security Awareness and Training Policy Andprocedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and\n b. Reviews and updates the current:\n 1. Security awareness and training policy **at least annually or whenever a significant change occurs**; and\n 2. Security awareness and training procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "AT-2",
"title": "Security Awareness Training",
"summary": "The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):\n a. As part of initial training for new users;\n b. When required by information system changes; and\n c. **at least annually** thereafter."
},
{
"ref": "AT-2 (2)",
"title": "Security Awareness | Insider Threat",
"summary": "The organization includes security awareness training on recognizing and reporting potential indicators of insider threat."
},
{
"ref": "AT-3",
"title": "Role-Based Security Training",
"summary": "The organization provides role-based security training to personnel with assigned security roles and responsibilities:\na. Before authorizing access to the information system or performing assigned duties;\nb. When required by information system changes; and\nc. **at least annually** thereafter."
},
{
"ref": "AT-3 (3)",
"title": "Security Training | Practical Exercises",
"summary": "The organization includes practical exercises in security training that reinforce training objectives."
},
{
"ref": "AT-3 (4)",
"title": "Security Training | Suspicious Communications and Anomalous System Behavior",
"summary": "The organization provides training to its personnel on **malicious code indicators as defined by organization incident policy/capability** to recognize suspicious communications and anomalous behavior in organizational information systems."
},
{
"ref": "AT-4",
"title": "Security Training Records",
"summary": "The organization:\n a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and\n b. Retains individual training records for **five (5) years or 5 years after completion of a specific training program**."
}
]
},
{
"title": "AUDIT AND ACCOUNTABILITY",
"controls": [
{
"ref": "AU-1",
"title": "Audit and Accountability Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and\n b. Reviews and updates the current:\n 1. Audit and accountability policy **at least annually**; and\n 2. Audit and accountability procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "AU-2",
"title": "Audit Events",
"summary": "The organization:\n a. Determines that the information system is capable of auditing the following events: **successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes**;\n b. Coordinates the security audit function with other organizational entities requiring audit- related information to enhance mutual support and to help guide the selection of auditable events;\n c. Provides a rationale for why the auditable events are deemed to be adequate to support after- the-fact investigations of security incidents; and\n d. Determines that the following events are to be audited within the information system: **organization-defined subset of the auditable events defined in AU-2a to be audited continually for each identified event**."
},
{
"ref": "AU-2 (3)",
"title": "Audit Events | Reviews and Updates",
"summary": "The organization reviews and updates the audited events **annually or whenever there is a change in the threat environment**."
},
{
"ref": "AU-3",
"title": "Content of Audit Records",
"summary": "The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event."
},
{
"ref": "AU-3 (1)",
"title": "Content of Audit Records | Additional Audit Information",
"summary": "The information system generates audit records containing the following additional information: **session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon; individual identities of group account users; full-text of privileged commands**."
},
{
"ref": "AU-3 (2)",
"title": "Content of Audit Records | Centralized Management of Planned Audit Record Content",
"summary": "The information system provides centralized management and configuration of the content to be captured in audit records generated by **all network, data storage, and computing devices**."
},
{
"ref": "AU-4",
"title": "Audit Storage Capacity",
"summary": "The organization allocates audit record storage capacity in accordance with [Assignment:\norganization-defined audit record storage requirements]."
},
{
"ref": "AU-5",
"title": "Response To Audit Processing Failures",
"summary": "The information system:\n a. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and\n b. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)]."
},
{
"ref": "AU-5 (1)",
"title": "Response To Audit Processing Failures | Audit Storage Capacity",
"summary": "The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity."
},
{
"ref": "AU-5 (2)",
"title": "Response To Audit Processing Failures | Real-Time Alerts",
"summary": "The information system provides an alert in **real-time** to **service provider personnel with authority to address failed audit events** when the following audit failure events occur: **audit failure events requiring real-time alerts, as defined by organization audit policy**."
},
{
"ref": "AU-6",
"title": "Audit Review, Analysis, and Reporting",
"summary": "The organization:\n a. Reviews and analyzes information system audit records **at least weekly** for indications of [Assignment: organization-defined inappropriate or unusual activity]; and\n b. Reports findings to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "AU-6 (1)",
"title": "Audit Review, Analysis, and Reporting | Process Integration",
"summary": "The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities."
},
{
"ref": "AU-6 (3)",
"title": "Audit Review, Analysis, and Reporting | Correlate Audit Repositories",
"summary": "The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness."
},
{
"ref": "AU-6 (4)",
"title": "Audit Review, Analysis, and Reporting | Central Review and Analysis",
"summary": "The information system provides the capability to centrally review and analyze audit records from multiple components within the system."
},
{
"ref": "AU-6 (5)",
"title": "Audit Review, Analysis, and Reporting | Integration / Scanning and Monitoring Capabilities",
"summary": "The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; **Organization -defined data/information collected from other sources]**] to further enhance the ability to identify inappropriate or unusual activity."
},
{
"ref": "AU-6 (6)",
"title": "Audit Review, Analysis, and Reporting | Correlation With Physical Monitoring",
"summary": "The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity."
},
{
"ref": "AU-6 (7)",
"title": "Audit Review, Analysis, and Reporting | Permitted Actions",
"summary": "The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information."
},
{
"ref": "AU-6 (10)",
"title": "Audit Review, Analysis, and Reporting | Audit Level Adjustment",
"summary": "The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information."
},
{
"ref": "AU-7",
"title": "Audit Reduction and Report Generation",
"summary": "The information system provides an audit reduction and report generation capability that:\n a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and\n b. Does not alter the original content or time ordering of audit records."
},
{
"ref": "AU-7 (1)",
"title": "Audit Reduction and Report Generation | Automatic Processing",
"summary": "The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records]."
},
{
"ref": "AU-8",
"title": "Time Stamps",
"summary": "The information system:\n a. Uses internal system clocks to generate time stamps for audit records; and\n b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets **one second granularity of time measurement**."
},
{
"ref": "AU-8 (1)",
"title": "Time Stamps | Synchronization With Authoritative Time Source",
"summary": "The information system:\n (a) Compares the internal information system clocks **At least hourly** with [Assignment: organization-defined authoritative time source]; and\n (b) Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than **At least hourly**."
},
{
"ref": "AU-9",
"title": "Protection of Audit Information",
"summary": "The information system protects audit information and audit tools from unauthorized access, modification, and deletion."
},
{
"ref": "AU-9 (2)",
"title": "Protection of Audit Information | Audit Backup on Separate Physical Systems / Components",
"summary": "The information system backs up audit records **at least weekly** onto a physically different system or system component than the system or component being audited."
},
{
"ref": "AU-9 (3)",
"title": "Protection of Audit Information | Cryptographic Protection",
"summary": "The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools."
},
{
"ref": "AU-9 (4)",
"title": "Protection of Audit Information | Access By Subset of Privileged Users",
"summary": "The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users]."
},
{
"ref": "AU-10",
"title": "Non-Repudiation",
"summary": "The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed **minimum actions including the addition, modification, deletion, approval, sending, or receiving of data**."
},
{
"ref": "AU-11",
"title": "Audit Record Retention",
"summary": "The organization retains audit records for **at least one (1) year** to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."
},
{
"ref": "AU-12",
"title": "Audit Generation",
"summary": "The information system:\n a. Provides audit record generation capability for the auditable events defined in AU-2 a. at **all information system and network components where audit capability is deployed/available**;\n b. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and\n c. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3."
},
{
"ref": "AU-12 (1)",
"title": "Audit Generation | System-Wide / Time-Correlated Audit Trail",
"summary": "The information system compiles audit records from **all network, data storage, and computing devices** into a system-wide (logical or physical) audit trail that is time- correlated to within [Assignment: organization-defined level of tolerance for relationship between time stamps of individual records in the audit trail]."
},
{
"ref": "AU-12 (3)",
"title": "Audit Generation | Changes By Authorized Individuals",
"summary": "The information system provides the capability for **service provider-defined individuals or roles with audit configuration responsibilities** to change the auditing to be performed on **all network, data storage, and computing devices** based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]."
}
]
},
{
"title": "SECURITY ASSESSMENT AND AUTHORIZATION",
"controls": [
{
"ref": "CA-1",
"title": "Security Assessment and Authorization Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and\n b. Reviews and updates the current:\n 1. Security assessment and authorization policy **at least annually**; and\n 2. Security assessment and authorization procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "CA-2",
"title": "Security Assessments",
"summary": "The organization:\n a. Develops a security assessment plan that describes the scope of the assessment including:\n 1. Security controls and control enhancements under assessment;\n 2. Assessment procedures to be used to determine security control effectiveness; and\n 3. Assessment environment, assessment team, and assessment roles and responsibilities;\n b. Assesses the security controls in the information system and its environment of operation **at least annually** to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;\n c. Produces a security assessment report that documents the results of the assessment; and\n d. Provides the results of the security control assessment to **individuals or roles to include FedRAMP PMO**."
},
{
"ref": "CA-2 (1)",
"title": "Security Assessments | Independent Assessors",
"summary": "The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments."
},
{
"ref": "CA-2 (2)",
"title": "Security Assessments | Specialized Assessments",
"summary": "The organization includes as part of security control assessments, **at least annually**, [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]]."
},
{
"ref": "CA-2 (3)",
"title": "Security Assessments | External Organizations",
"summary": "The organization accepts the results of an assessment of **any FedRAMP Accredited 3PAO** performed by **any FedRAMP Accredited 3PAO** when the assessment meets **the conditions of the JAB/AO in the FedRAMP Repository**."
},
{
"ref": "CA-3",
"title": "System Interconnections",
"summary": "The organization:\n a. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements;\n b. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated; and\n c. Reviews and updates Interconnection Security Agreements **at least annually and on input from FedRAMP**."
},
{
"ref": "CA-3 (3)",
"title": "System Interconnections | Unclassified Non-National Security System Connections",
"summary": "The organization prohibits the direct connection of an **Boundary Protections which meet the Trusted Internet Connection (TIC) requirements** to an external network without the use of [Assignment; organization-defined boundary protection device]."
},
{
"ref": "CA-3 (5)",
"title": "System Interconnections | Restrictions on External System Connections",
"summary": "The organization employs [Selection: allow-all, deny-by-exception; deny-all, permit-by-exception] policy for allowing **deny-all, permit by exception** to connect to external information systems."
},
{
"ref": "CA-5",
"title": "Plan of Action and Milestones",
"summary": "The organization:\n a. Develops a plan of action and milestones for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during\nthe assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and\n b. Updates existing plan of action and milestones **at least monthly** based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities."
},
{
"ref": "CA-6",
"title": "Security Authorization",
"summary": "The organization:\n a. Assigns a senior-level executive or manager as the authorizing official for the information system;\n b. Ensures that the authorizing official authorizes the information system for processing before commencing operations; and\n c. Updates the security authorization **at least every three (3) years or when a significant change occurs**."
},
{
"ref": "CA-7",
"title": "Continuous Monitoring",
"summary": "The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:\n a. Establishment of [Assignment: organization-defined metrics] to be monitored;\n b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;\n c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;\n d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;\n e. Correlation and analysis of security-related information generated by assessments and monitoring;\n f. Response actions to address results of the analysis of security-related information; and\n g. Reporting the security status of organization and the information system to **to meet Federal and FedRAMP requirements** [Assignment: organization-defined frequency]."
},
{
"ref": "CA-7 (1)",
"title": "Continuous Monitoring | Independent Assessment",
"summary": "The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to monitor the security controls in the information system on an ongoing basis."
},
{
"ref": "CA-7 (3)",
"title": "Continuous Monitoring | Trend Analyses",
"summary": "The organization employs trend analyses to determine if security control implementations, the frequency of continuous monitoring activities, and/or the types of activities used in the continuous monitoring process need to be modified based on empirical data."
},
{
"ref": "CA-8",
"title": "Penetration Testing",
"summary": "The organization conducts penetration testing **at least annually** on [Assignment: organization-defined information systems or system components]."
},
{
"ref": "CA-8 (1)",
"title": "Penetration Testing | Independent Penetration Agent or Team",
"summary": "The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components."
},
{
"ref": "CA-9",
"title": "Internal System Connections",
"summary": "The organization:\n a. Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and\n b. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated."
}
]
},
{
"title": "CONFIGURATION MANAGEMENT",
"controls": [
{
"ref": "CM-1",
"title": "Configuration Management Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and\n b. Reviews and updates the current:\n 1. Configuration management policy **at least annually**; and\n 2. Configuration management procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "CM-2",
"title": "Baseline Configuration",
"summary": "The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system."
},
{
"ref": "CM-2 (1)",
"title": "Baseline Configuration | Reviews and Updates",
"summary": "The organization reviews and updates the baseline configuration of the information system: \n (a) [Assignment: organization-defined frequency];\n (b) When required due to [Assignment organization-defined circumstances]; and\n (c) As an integral part of information system component installations and upgrades."
},
{
"ref": "CM-2 (2)",
"title": "Baseline Configuration | Automation Support for Accuracy / Currency",
"summary": "The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system."
},
{
"ref": "CM-2 (3)",
"title": "Baseline Configuration | Retention of Previous Configurations",
"summary": "The organization retains **organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components** to support rollback."
},
{
"ref": "CM-2 (7)",
"title": "Baseline Configuration | Configure Systems, Components, or Devices for High-Risk Areas",
"summary": "The organization:\n (a) Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and\n (b) Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return."
},
{
"ref": "CM-3",
"title": "Configuration Change Control",
"summary": "The organization:\n a. Determines the types of changes to the information system that are configuration-controlled;\n b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;\n c. Documents configuration change decisions associated with the information system;\n d. Implements approved configuration-controlled changes to the information system;\n e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];\n f. Audits and reviews activities associated with configuration-controlled changes to the information system; and\n g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]."
},
{
"ref": "CM-3 (1)",
"title": "Configuration Change Control | Automated Document / Notification / Prohibition of Changes",
"summary": "The organization employs automated mechanisms to:\n (a) Document proposed changes to the information system;\n (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;\n (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];\n (d) Prohibit changes to the information system until designated approvals are received; \n (e) Document all changes to the information system; and\n (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed."
},
{
"ref": "CM-3 (2)",
"title": "Configuration Change Control | Test / Validate / Document Changes",
"summary": "The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system."
},
{
"ref": "CM-3 (4)",
"title": "Configuration Change Control | Security Representative",
"summary": "The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element]."
},
{
"ref": "CM-3 (6)",
"title": "Configuration Change Control | Cryptography Management",
"summary": "The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management."
},
{
"ref": "CM-4",
"title": "Security Impact Analysis",
"summary": "The organization analyzes changes to the information system to determine potential security impacts prior to change implementation."
},
{
"ref": "CM-4 (1)",
"title": "Security Impact Analysis | Separate Test Environments",
"summary": "The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice."
},
{
"ref": "CM-5",
"title": "Access Restrictions for Change",
"summary": "The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system."
},
{
"ref": "CM-5 (1)",
"title": "Access Restrictions for Change | Automated Access Enforcement / Auditing",
"summary": "The information system enforces access restrictions and supports auditing of the enforcement actions."
},
{
"ref": "CM-5 (2)",
"title": "Access Restrictions for Change | Review System Changes",
"summary": "The organization reviews information system changes **at least every thirty (30) days** and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred."
},
{
"ref": "CM-5 (3)",
"title": "Access Restrictions for Change | Signed Components",
"summary": "The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization."
},
{
"ref": "CM-5 (5)",
"title": "Access Restrictions for Change | Limit Production / Operational Privileges",
"summary": "The organization:\n (a) Limits privileges to change information system components and system-related information within a production or operational environment; and\n (b) Reviews and reevaluates privileges [Assignment: organization-defined frequency]."
},
{
"ref": "CM-6",
"title": "Configuration Settings",
"summary": "The organization:\n a. Establishes and documents configuration settings for information technology products employed within the information system using **United States Government Configuration Baseline (USGCB)** that reflect the most restrictive mode consistent with operational requirements;\n b. Implements the configuration settings;\n c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and\n d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures."
},
{
"ref": "CM-6 (1)",
"title": "Configuration Settings | Automated Central Management / Application / Verification",
"summary": "The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]."
},
{
"ref": "CM-6 (2)",
"title": "Configuration Settings | Respond To Unauthorized Changes",
"summary": "The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings]."
},
{
"ref": "CM-7",
"title": "Least Functionality",
"summary": "The organization:\n a. Configures the information system to provide only essential capabilities; and\n b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: **United States Government Configuration Baseline (USGCB)**."
},
{
"ref": "CM-7 (1)",
"title": "Least Functionality | Periodic Review",
"summary": "The organization:\n (a) Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and\n (b) Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure]."
},
{
"ref": "CM-7 (2)",
"title": "Least Functionality | Prevent Program Execution",
"summary": "The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]."
},
{
"ref": "CM-7 (5)",
"title": "Least Functionality | Authorized Software / Whitelisting",
"summary": "The organization:\n (a) Identifies [Assignment: organization-defined software programs authorized to execute on the information system];\n (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and\n (c) Reviews and updates the list of authorized software programs [Assignment: organization- defined frequency]."
},
{
"ref": "CM-8",
"title": "Information System Component Inventory",
"summary": "The organization:\n a. Develops and documents an inventory of information system components that:\n 1. Accurately reflects the current information system;\n 2. Includes all components within the authorization boundary of the information system;\n 3. Is at the level of granularity deemed necessary for tracking and reporting; and\n 4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and\n b. Reviews and updates the information system component inventory **at least monthly**."
},
{
"ref": "CM-8 (1)",
"title": "Information System Component Inventory | Updates During Installations / Removals",
"summary": "The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates."
},
{
"ref": "CM-8 (2)",
"title": "Information System Component Inventory | Automated Maintenance",
"summary": "The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components."
},
{
"ref": "CM-8 (3)",
"title": "Information System Component Inventory | Automated Unauthorized Component Detection",
"summary": "The organization:\n (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and\n (b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]."
},
{
"ref": "CM-8 (4)",
"title": "Information System Component Inventory | Accountability Information",
"summary": "The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components."
},
{
"ref": "CM-8 (5)",
"title": "Information System Component Inventory | No Duplicate Accounting of Components",
"summary": "The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system inventories."
},
{
"ref": "CM-9",
"title": "Configuration Management Plan",
"summary": "The organization develops, documents, and implements a configuration management plan for the information system that:\n a. Addresses roles, responsibilities, and configuration management processes and procedures;\n b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;\n c. Defines the configuration items for the information system and places the configuration items under configuration management; and\n d. Protects the configuration management plan from unauthorized disclosure and modification."
},
{
"ref": "CM-10",
"title": "Software Usage Restrictions",
"summary": "The organization:\na. Uses software and associated documentation in accordance with contract agreements and copyright laws;\nb. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and\nc. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work."
},
{
"ref": "CM-10 (1)",
"title": "Software Usage Restrictions | Open Source Software",
"summary": "The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions]."
},
{
"ref": "CM-11",
"title": "User-Installed Software",
"summary": "The organization:\n a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;\n b. Enforces software installation policies through [Assignment: organization-defined methods]; and\n c. Monitors policy compliance at **Continuously (via CM-7 (5))**."
},
{
"ref": "CM-11 (1)",
"title": "User-Installed Software | Alerts for Unauthorized Installations",
"summary": "The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected."
}
]
},
{
"title": "CONTINGENCY PLANNING",
"controls": [
{
"ref": "CP-1",
"title": "Contingency Planning Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and\n b. Reviews and updates the current:\n 1. Contingency planning policy **at least annually**; and\n 2. Contingency planning procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "CP-2",
"title": "Contingency Plan",
"summary": "The organization:\n a. Develops a contingency plan for the information system that:\n 1. Identifies essential missions and business functions and associated contingency requirements;\n 2. Provides recovery objectives, restoration priorities, and metrics;\n 3. Addresses contingency roles, responsibilities, assigned individuals with contact information;\n 4. Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure;\n 5. Addresses eventual, full information system restoration without deterioration of the security safeguards originally planned and implemented; and\n 6. Is reviewed and approved by [Assignment: organization-defined personnel or roles];\n b. Distributes copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];\n c. Coordinates contingency planning activities with incident handling activities;\n d. Reviews the contingency plan for the information system **at least annually**;\n e. Updates the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;\n f. Communicates contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements]; and\n g. Protects the contingency plan from unauthorized disclosure and modification."
},
{
"ref": "CP-2 (1)",
"title": "Contingency Plan | Coordinate With Related Plans",
"summary": "The organization coordinates contingency plan development with organizational elements responsible for related plans."
},
{
"ref": "CP-2 (2)",
"title": "Contingency Plan | Capacity Planning",
"summary": "The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations."
},
{
"ref": "CP-2 (3)",
"title": "Contingency Plan | Resume Essential Missions / Business Functions",
"summary": "The organization plans for the resumption of essential missions and business functions within\n[Assignment: organization-defined time period] of contingency plan activation."
},
{
"ref": "CP-2 (4)",
"title": "Contingency Plan | Resume All Missions / Business Functions",
"summary": "The organization plans for the resumption of all missions and business functions within\n**time period defined in service provider and organization SLA** of contingency plan activation."
},
{
"ref": "CP-2 (5)",
"title": "Contingency Plan | Continue Essential Missions / Business Functions",
"summary": "The organization plans for the continuance of essential missions and business functions with little or no loss of operational continuity and sustains that continuity until full information system restoration at primary processing and/or storage sites."
},
{
"ref": "CP-2 (8)",
"title": "Contingency Plan | Identify Critical Assets",
"summary": "The organization identifies critical information system assets supporting essential missions and business functions."
},
{
"ref": "CP-3",
"title": "Contingency Training",
"summary": "The organization provides contingency training to information system users consistent with assigned roles and responsibilities:\n a. Within **ten (10) days** of assuming a contingency role or responsibility;\n b. When required by information system changes; and\n c. **at least annually** thereafter."
},
{
"ref": "CP-3 (1)",
"title": "Contingency Training | Simulated Events",
"summary": "The organization incorporates simulated events into contingency training to facilitate effective response by personnel in crisis situations."
},
{
"ref": "CP-4",
"title": "Contingency Plan Testing",
"summary": "The organization:\n a. Tests the contingency plan for the information system **at least annually** using **functional exercises** to determine the effectiveness of the plan and the organizational readiness to execute the plan;\n b. Reviews the contingency plan test results; and\n c. Initiates corrective actions, if needed."
},
{
"ref": "CP-4 (1)",
"title": "Contingency Plan Testing | Coordinate With Related Plans",
"summary": "The organization coordinates contingency plan testing with organizational elements responsible for related plans."
},
{
"ref": "CP-4 (2)",
"title": "Contingency Plan Testing | Alternate Processing Site",
"summary": "The organization tests the contingency plan at the alternate processing site:\n (a) To familiarize contingency personnel with the facility and available resources; and\n (b) To evaluate the capabilities of the alternate processing site to support contingency operations."
},
{
"ref": "CP-6",
"title": "Alternate Storage Site",
"summary": "The organization:\n a. Establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information; and\n b. Ensures that the alternate storage site provides information security safeguards equivalent to that of the primary site."
},
{
"ref": "CP-6 (1)",
"title": "Alternate Storage Site | Separation From Primary Site",
"summary": "The organization identifies an alternate storage site that is separated from the primary storage site to reduce susceptibility to the same threats."
},
{
"ref": "CP-6 (2)",
"title": "Alternate Storage Site | Recovery Time / Point Objectives",
"summary": "The organization configures the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives."
},
{
"ref": "CP-6 (3)",
"title": "Alternate Storage Site | Accessibility",
"summary": "The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."
},
{
"ref": "CP-7",
"title": "Alternate Processing Site",
"summary": "The organization:\n a. Establishes an alternate processing site including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined information system operations] for essential missions/business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;\n b. Ensures that equipment and supplies required to transfer and resume operations are available at the alternate processing site or contracts are in place to support delivery to the site within the organization-defined time period for transfer/resumption; and \n c. Ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site."
},
{
"ref": "CP-7 (1)",
"title": "Alternate Processing Site | Separation From Primary Site",
"summary": "The organization identifies an alternate processing site that is separated from the primary processing site to reduce susceptibility to the same threats."
},
{
"ref": "CP-7 (2)",
"title": "Alternate Processing Site | Accessibility",
"summary": "The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions."
},
{
"ref": "CP-7 (3)",
"title": "Alternate Processing Site | Priority of Service",
"summary": "The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with organizational availability requirements (including recovery time objectives)."
},
{
"ref": "CP-7 (4)",
"title": "Alternate Processing Site | Preparation for Use",
"summary": "The organization prepares the alternate processing site so that the site is ready to be used as the operational site supporting essential missions and business functions."
},
{
"ref": "CP-8",
"title": "Telecommunications Services",
"summary": "The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of [Assignment: organization-defined information system operations] for essential missions and business functions within [Assignment: organization- defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites."
},
{
"ref": "CP-8 (1)",
"title": "Telecommunications Services | Priority of Service Provisions",
"summary": "The organization:\n (a) Develops primary and alternate telecommunications service agreements that contain priority- of-service provisions in accordance with organizational availability requirements (including recovery time objectives); and\n (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier."
},
{
"ref": "CP-8 (2)",
"title": "Telecommunications Services | Single Points of Failure",
"summary": "The organization obtains alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services."
},
{
"ref": "CP-8 (3)",
"title": "Telecommunications Services | Separation of Primary / Alternate Providers",
"summary": "The organization obtains alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats."
},
{
"ref": "CP-8 (4)",
"title": "Telecommunications Services | Provider Contingency Plan",
"summary": "The organization:\n (a) Requires primary and alternate telecommunications service providers to have contingency plans;\n (b) Reviews provider contingency plans to ensure that the plans meet organizational contingency requirements; and\n (c) Obtains evidence of contingency testing/training by providers [Assignment: organization- defined frequency]."
},
{
"ref": "CP-9",
"title": "Information System Backup",
"summary": "The organization:\na. Conducts backups of user-level information contained in the information system **daily incremental; weekly full**;\nb. Conducts backups of system-level information contained in the information system **daily incremental; weekly full**;\nc. Conducts backups of information system documentation including security-related documentation **daily incremental; weekly full**; and\nd. Protects the confidentiality, integrity, and availability of backup information at storage locations."
},
{
"ref": "CP-9 (1)",
"title": "Information System Backup | Testing for Reliability / Integrity",
"summary": "The organization tests backup information **at least monthly** to verify media reliability and information integrity."
},
{
"ref": "CP-9 (2)",
"title": "Information System Backup | Test Restoration Using Sampling",
"summary": "The organization uses a sample of backup information in the restoration of selected information system functions as part of contingency plan testing."
},
{
"ref": "CP-9 (3)",
"title": "Information System Backup | Separate Storage for Critical Information",
"summary": "The organization stores backup copies of [Assignment: organization-defined critical information system software and other security-related information] in a separate facility or in a fire-rated container that is not collocated with the operational system."
},
{
"ref": "CP-9 (5)",
"title": "Information System Backup | Transfer To Alternate Storage Site",
"summary": "The organization transfers information system backup information to the alternate storage site **time period and transfer rate consistent with the recovery time and recovery point objectives defined in the service provider and organization SLA**."
},
{
"ref": "CP-10",
"title": "Information System Recovery and Reconstitution",
"summary": "The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure."
},
{
"ref": "CP-10 (2)",
"title": "Information System Recovery and Reconstitution | Transaction Recovery",
"summary": "The information system implements transaction recovery for systems that are transaction-based."
},
{
"ref": "CP-10 (4)",
"title": "Information System Recovery and Reconstitution | Restore Within Time Period",
"summary": "The organization provides the capability to restore information system components within **time period consistent with the restoration time-periods defined in the service provider and organization SLA** from configuration-controlled and integrity-protected information representing a known, operational state for the components."
}
]
},
{
"title": "IDENTIFICATION AND AUTHENTICATION",
"controls": [
{
"ref": "IA-1",
"title": "Identification and Authentication Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and\n b. Reviews and updates the current:\n 1. Identification and authentication policy **at least annually**; and\n 2. Identification and authentication procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "IA-2",
"title": "Identification and Authentication (Organizational Users)",
"summary": "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users)."
},
{
"ref": "IA-2 (1)",
"title": "Identification and Authentication | Network Access To Privileged Accounts",
"summary": "The information system implements multifactor authentication for network access to privileged accounts."
},
{
"ref": "IA-2 (2)",
"title": "Identification and Authentication | Network Access To Non-Privileged Accounts",
"summary": "The information system implements multifactor authentication for network access to non- privileged accounts."
},
{
"ref": "IA-2 (3)",
"title": "Identification and Authentication | Local Access To Privileged Accounts",
"summary": "The information system implements multifactor authentication for local access to privileged accounts."
},
{
"ref": "IA-2 (4)",
"title": "Identification and Authentication | Local Access To Non-Privileged Accounts",
"summary": "The information system implements multifactor authentication for local access to non-privileged accounts."
},
{
"ref": "IA-2 (5)",
"title": "Identification and Authentication (Organizational Users) | Group Authentication",
"summary": "The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed."
},
{
"ref": "IA-2 (8)",
"title": "Identification and Authentication | Network Access To Privileged Accounts - Replay Resistant",
"summary": "The information system implements replay-resistant authentication mechanisms for network access to privileged accounts."
},
{
"ref": "IA-2 (9)",
"title": "Identification and Authentication | Network Access To Non-Privileged Accounts - Replay Resistant",
"summary": "The information system implements replay-resistant authentication mechanisms for network access to non-privileged accounts."
},
{
"ref": "IA-2 (11)",
"title": "Identification and Authentication | Remote Access - Separate Device",
"summary": "The information system implements multifactor authentication for remote access to privileged and non-privileged accounts such that one of the factors is provided by a device separate from the system gaining access and the device meets **FIPS 140-2, NIAP Certification, or NSA approval**."
},
{
"ref": "IA-2 (12)",
"title": "Identification and Authentication | Acceptance of Piv Credentials",
"summary": "The information system accepts and electronically verifies Personal Identity Verification (PIV)\ncredentials."
},
{
"ref": "IA-3",
"title": "Device Identification and Authentication",
"summary": "The information system uniquely identifies and authenticates [Assignment: organization- defined specific and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection."
},
{
"ref": "IA-4",
"title": "Identifier Management",
"summary": "The organization manages information system identifiers by:\n a. Receiving authorization from **at a minimum, the ISSO (or similar role within the organization)** to assign an individual, group, role, or device identifier;\n b. Selecting an identifier that identifies an individual, group, role, or device;\n c. Assigning the identifier to the intended individual, group, role, or device;\n d. Preventing reuse of identifiers for **at least two (2) years**; and\n e. Disabling the identifier after **thirty-five (35) days**."
},
{
"ref": "IA-4 (4)",
"title": "Identifier Management | Identify User Status",
"summary": "The organization manages individual identifiers by uniquely identifying each individual as\n**contractors; foreign nationals**."
},
{
"ref": "IA-5",
"title": "Authenticator Management",
"summary": "The organization manages information system authenticators by:\n a. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;\n b. Establishing initial authenticator content for authenticators defined by the organization;\n c. Ensuring that authenticators have sufficient strength of mechanism for their intended use;\n d. Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators;\n e. Changing default content of authenticators prior to information system installation;\n f. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;\n g. Changing/refreshing authenticators [Assignment: organization-defined time period by authenticator type];\n h. Protecting authenticator content from unauthorized disclosure and modification;\n i. Requiring individuals to take, and having devices implement, specific security safeguards to protect authenticators; and\n j. Changing authenticators for group/role accounts when membership to those accounts changes."
},
{
"ref": "IA-5 (1)",
"title": "Authenticator Management | Password-Based Authentication",
"summary": "The information system, for password-based authentication:\n (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type];\n (b) Enforces at least the following number of changed characters when new passwords are created: [Assignment: organization-defined number];\n (c) Stores and transmits only encrypted representations of passwords;\n (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization- defined numbers for lifetime minimum, lifetime maximum];\n (e) Prohibits password reuse for [Assignment: organization-defined number] generations; and\n (f) Allows the use of a temporary password for system logons with an immediate change to a permanent password."
},
{
"ref": "IA-5 (2)",
"title": "Authenticator Management | Pki-Based Authentication",
"summary": "The information system, for PKI-based authentication:\n (a) Validates certifications by constructing and verifying a certification path to an accepted trust anchor including checking certificate status information;\n (b) Enforces authorized access to the corresponding private key;\n (c) Maps the authenticated identity to the account of the individual or group; and\n (d) Implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network."
},
{
"ref": "IA-5 (3)",
"title": "Authenticator Management | In-Person or Trusted Third-Party Registration",
"summary": "The organization requires that the registration process to receive **All hardware/biometric (multifactor authenticators** be conducted [Selection: in person; by a trusted third party] before **in person** with authorization by [Assignment: organization-defined personnel or roles]."
},
{
"ref": "IA-5 (4)",
"title": "Authenticator Management | Automated Support for Password Strength Determination",
"summary": "The organization employs automated tools to determine if password authenticators are sufficiently strong to satisfy **complexity as identified in IA-5 (1) Control Enhancement Part (a)**."
},
{
"ref": "IA-5 (6)",
"title": "Authenticator Management | Protection of Authenticators",
"summary": "The organization protects authenticators commensurate with the security category of the information to which use of the authenticator permits access."
},
{
"ref": "IA-5 (7)",
"title": "Authenticator Management | No Embedded Unencrypted Static Authenticators",
"summary": "The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys."
},
{
"ref": "IA-5 (8)",
"title": "Authenticator Management | Multiple Information System Accounts",
"summary": "The organization implements **different authenticators on different systems** to manage the risk of compromise due to individuals having accounts on multiple information systems."
},
{
"ref": "IA-5 (11)",
"title": "Authenticator Management | Hardware Token-Based Authentication",
"summary": "The information system, for hardware token-based authentication, employs mechanisms that satisfy [Assignment: organization-defined token quality requirements]."
},
{
"ref": "IA-5 (13)",
"title": "Authenticator Management | Expiration of Cached Authenticators",
"summary": "The information system prohibits the use of cached authenticators after [Assignment: organization-defined time period]."
},
{
"ref": "IA-6",
"title": "Authenticator Feedback",
"summary": "The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals."
},
{
"ref": "IA-7",
"title": "Cryptographic Module Authentication",
"summary": "The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication."
},
{
"ref": "IA-8",
"title": "Identification and Authentication (Non- Organizational Users)",
"summary": "The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users)."
},
{
"ref": "IA-8 (1)",
"title": "Identification and Authentication | Acceptance of Piv Credentials From Other Agencies",
"summary": "The information system accepts and electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies."
},
{
"ref": "IA-8 (2)",
"title": "Identification and Authentication | Acceptance of Third-Party Credentials",
"summary": "The information system accepts only FICAM-approved third-party credentials."
},
{
"ref": "IA-8 (3)",
"title": "Identification and Authentication | Use of Ficam-Approved Products",
"summary": "The organization employs only FICAM-approved information system components in [Assignment:\norganization-defined information systems] to accept third-party credentials."
},
{
"ref": "IA-8 (4)",
"title": "Identification and Authentication | Use of Ficam-Issued Profiles",
"summary": "The information system conforms to FICAM-issued profiles."
}
]
},
{
"title": "INCIDENT RESPONSE",
"controls": [
{
"ref": "IR-1",
"title": "Incident Response Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and\n b. Reviews and updates the current:\n 1. Incident response policy **at least annually**; and\n 2. Incident response procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "IR-2",
"title": "Incident Response Training",
"summary": "The organization provides incident response training to information system users consistent with assigned roles and responsibilities:\n a. Within **within ten (10) days** of assuming an incident response role or responsibility;\n b. When required by information system changes; and\n c. **at least annually** thereafter."
},
{
"ref": "IR-2 (1)",
"title": "Incident Response Training | Simulated Events",
"summary": "The organization incorporates simulated events into incident response training to facilitate effective response by personnel in crisis situations."
},
{
"ref": "IR-2 (2)",
"title": "Incident Response Training | Automated Training Environments",
"summary": "The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment."
},
{
"ref": "IR-3",
"title": "Incident Response Testing",
"summary": "The organization tests the incident response capability for the information system **at least every six (6) months** using [Assignment: organization-defined tests] to determine the incident response effectiveness and documents the results."
},
{
"ref": "IR-3 (2)",
"title": "Incident Response Testing | Coordination With Related Plans",
"summary": "The organization coordinates incident response testing with organizational elements responsible for related plans."
},
{
"ref": "IR-4",
"title": "Incident Handling",
"summary": "The organization:\na. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;\nb. Coordinates incident handling activities with contingency planning activities; and\nc. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly."
},
{
"ref": "IR-4 (1)",
"title": "Incident Handling | Automated Incident Handling Processes",
"summary": "The organization employs automated mechanisms to support the incident handling process."
},
{
"ref": "IR-4 (2)",
"title": "Incident Handling | Dynamic Reconfiguration",
"summary": "The organization includes dynamic reconfiguration of **all network, data storage, and computing devices** as part of the incident response capability."
},
{
"ref": "IR-4 (3)",
"title": "Incident Handling | Continuity of Operations",
"summary": "The organization identifies [Assignment: organization-defined classes of incidents] and [Assignment: organization-defined actions to take in response to classes of incidents] to ensure continuation of organizational missions and business functions."
},
{
"ref": "IR-4 (4)",
"title": "Incident Handling | Information Correlation",
"summary": "The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response."
},
{
"ref": "IR-4 (6)",
"title": "Incident Handling | Insider Threats - Specific Capabilities",
"summary": "The organization implements incident handling capability for insider threats."
},
{
"ref": "IR-4 (8)",
"title": "Incident Handling | Correlation With External Organizations",
"summary": "The organization coordinates with **external organizations including consumer incident responders and network defenders and the appropriate CIRT/CERT (such as US-CERT, DOD CERT, IC CERT)** to correlate and share [Assignment: organization-defined incident information] to achieve a cross- organization perspective on incident awareness and more effective incident responses."
},
{
"ref": "IR-5",
"title": "Incident Monitoring",
"summary": "The organization tracks and documents information system security incidents."
},
{
"ref": "IR-5 (1)",
"title": "Incident Monitoring | Automated Tracking / Data Collection / Analysis",
"summary": "The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information."
},
{
"ref": "IR-6",
"title": "Incident Reporting",
"summary": "The organization:\n a. Requires personnel to report suspected security incidents to the organizational incident response capability within **US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)**; and\n b. Reports security incident information to [Assignment: organization-defined authorities]."
},
{
"ref": "IR-6 (1)",
"title": "Incident Reporting | Automated Reporting",
"summary": "The organization employs automated mechanisms to assist in the reporting of security incidents."
},
{
"ref": "IR-7",
"title": "Incident Response Assistance",
"summary": "The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents."
},
{
"ref": "IR-7 (1)",
"title": "Incident Response Assistance | Automation Support for Availability of Information / Support",
"summary": "The organization employs automated mechanisms to increase the availability of incident response- related information and support."
},
{
"ref": "IR-7 (2)",
"title": "Incident Response Assistance | Coordination With External Providers",
"summary": "The organization:\n (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and\n (b) Identifies organizational incident response team members to the external providers."
},
{
"ref": "IR-8",
"title": "Incident Response Plan",
"summary": "The organization:\n a. Develops an incident response plan that:\n 1. Provides the organization with a roadmap for implementing its incident response capability;\n 2. Describes the structure and organization of the incident response capability;\n 3. Provides a high-level approach for how the incident response capability fits into the overall organization;\n 4. Meets the unique requirements of the organization, which relate to mission, size, structure, and functions;\n 5. Defines reportable incidents;\n 6. Provides metrics for measuring the incident response capability within the organization;\n 7. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and\n 8. Is reviewed and approved by [Assignment: organization-defined personnel or roles];\n b. Distributes copies of the incident response plan to **see additional FedRAMP Requirements and Guidance**;\n c. Reviews the incident response plan **at least annually**;\n d. Updates the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing;\n e. Communicates incident response plan changes to **see additional FedRAMP Requirements and Guidance**; and\nf. Protects the incident response plan from unauthorized disclosure and modification."
},
{
"ref": "IR-9",
"title": "Information Spillage Response",
"summary": "The organization responds to information spills by:\n a. Identifying the specific information involved in the information system contamination;\n b. Alerting [Assignment: organization-defined personnel or roles] of the information spill using a method of communication not associated with the spill;\n c. Isolating the contaminated information system or system component;\n d. Eradicating the information from the contaminated information system or component;\n e. Identifying other information systems or system components that may have been subsequently contaminated; and\n f. Performing other [Assignment: organization-defined actions]."
},
{
"ref": "IR-9 (1)",
"title": "Information Spillage Response | Responsible Personnel",
"summary": "The organization assigns [Assignment: organization-defined personnel or roles] with responsibility for responding to information spills."
},
{
"ref": "IR-9 (2)",
"title": "Information Spillage Response | Training",
"summary": "The organization provides information spillage response training **at least annually**."
},
{
"ref": "IR-9 (3)",
"title": "Information Spillage Response | Post-Spill Operations",
"summary": "The organization implements [Assignment: organization-defined procedures] to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective actions."
},
{
"ref": "IR-9 (4)",
"title": "Information Spillage Response | Exposure To Unauthorized Personnel",
"summary": "The organization employs [Assignment: organization-defined security safeguards] for personnel exposed to information not within assigned access authorizations."
}
]
},
{
"title": "MAINTENANCE",
"controls": [
{
"ref": "MA-1",
"title": "System Maintenance Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and\n b. Reviews and updates the current:\n 1. System maintenance policy **at least annually**; and\n 2. System maintenance procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "MA-2",
"title": "Controlled Maintenance",
"summary": "The organization:\n a. Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements;\n b. Approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location;\n c. Requires that [Assignment: organization-defined personnel or roles] explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;\n d. Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs;\n e. Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and\n f. Includes [Assignment: organization-defined maintenance-related information] in organizational maintenance records."
},
{
"ref": "MA-2 (2)",
"title": "Controlled Maintenance | Automated Maintenance Activities",
"summary": "The organization:\n (a) Employs automated mechanisms to schedule, conduct, and document maintenance and repairs; and\n (b) Produces up-to date, accurate, and complete records of all maintenance and repair actions requested, scheduled, in process, and completed."
},
{
"ref": "MA-3",
"title": "Maintenance Tools",
"summary": "The organization approves, controls, and monitors information system maintenance tools."
},
{
"ref": "MA-3 (1)",
"title": "Maintenance Tools | Inspect Tools",
"summary": "The organization inspects the maintenance tools carried into a facility by maintenance personnel for improper or unauthorized modifications."
},
{
"ref": "MA-3 (2)",
"title": "Maintenance Tools | Inspect Media",
"summary": "The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system."
},
{
"ref": "MA-3 (3)",
"title": "Maintenance Tools | Prevent Unauthorized Removal",
"summary": "The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:\n (a) Verifying that there is no organizational information contained on the equipment; \n (b) Sanitizing or destroying the equipment;\n (c) Retaining the equipment within the facility; or\n (d) Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility."
},
{
"ref": "MA-4",
"title": "Nonlocal Maintenance",
"summary": "The organization:\n a. Approves and monitors nonlocal maintenance and diagnostic activities;\n b. Allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system;\n c. Employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions;\n d. Maintains records for nonlocal maintenance and diagnostic activities; and\n e. Terminates session and network connections when nonlocal maintenance is completed."
},
{
"ref": "MA-4 (2)",
"title": "Nonlocal Maintenance | Document Nonlocal Maintenance",
"summary": "The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections."
},
{
"ref": "MA-4 (3)",
"title": "Nonlocal Maintenance | Comparable Security / Sanitization",
"summary": "The organization:\n (a) Requires that nonlocal maintenance and diagnostic services be performed from an information system that implements a security capability comparable to the capability implemented on the system being serviced; or\n (b) Removes the component to be serviced from the information system and prior to nonlocal maintenance or diagnostic services, sanitizes the component (with regard to organizational information) before removal from organizational facilities, and after the service is performed, inspects and sanitizes the component (with regard to potentially malicious software) before reconnecting the component to the information system."
},
{
"ref": "MA-4 (6)",
"title": "Nonlocal Maintenance | Cryptographic Protection",
"summary": "The information system implements cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications."
},
{
"ref": "MA-5",
"title": "Maintenance Personnel",
"summary": "The organization:\n a. Establishes a process for maintenance personnel authorization and maintains a list of authorized maintenance organizations or personnel;\n b. Ensures that non-escorted personnel performing maintenance on the information system have required access authorizations; and\n c. Designates organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations."
},
{
"ref": "MA-5 (1)",
"title": "Maintenance Personnel | Individuals Without Appropriate Access",
"summary": "The organization:\n (a) Implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements:\n (1) Maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals are escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified;\n (2) Prior to initiating maintenance or diagnostic activities by personnel who do not have needed access authorizations, clearances or formal access approvals, all volatile information storage components within the information system are sanitized and all nonvolatile storage media are removed or physically disconnected from the system and secured; and\n (b) Develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system."
},
{
"ref": "MA-6",
"title": "Timely Maintenance",
"summary": "The organization obtains maintenance support and/or spare parts for [Assignment: organization-defined information system components] within [Assignment: organization-defined time period] of failure."
}
]
},
{
"title": "MEDIA PROTECTION",
"controls": [
{
"ref": "MP-1",
"title": "Media Protection Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and\n b. Reviews and updates the current:\n 1. Media protection policy **at least annually**; and\n 2. Media protection procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "MP-2",
"title": "Media Access",
"summary": "The organization restricts access to **any digital and non-digital media deemed sensitive** to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "MP-3",
"title": "Media Marking",
"summary": "The organization:\n a. Marks information system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and\n b. Exempts **no removable media types** from marking as long as the media remain within **organization-defined security safeguards not applicable**."
},
{
"ref": "MP-4",
"title": "Media Storage",
"summary": "The organization:\n a. Physically controls and securely stores **all types of digital and non-digital media with sensitive information** within **see additional FedRAMP requirements and guidance**; and\n b. Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures."
},
{
"ref": "MP-5",
"title": "Media Transport",
"summary": "The organization:\n a. Protects and controls [Assignment: organization-defined types of information system media] during transport outside of controlled areas using [Assignment: organization-defined security safeguards];\n b. Maintains accountability for information system media during transport outside of controlled areas;\n c. Documents activities associated with the transport of information system media; and\n d. Restricts the activities associated with the transport of information system media to authorized personnel."
},
{
"ref": "MP-5 (4)",
"title": "Media Transport | Cryptographic Protection",
"summary": "The information system implements cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas."
},
{
"ref": "MP-6",
"title": "Media Sanitization",
"summary": "The organization:\n a. Sanitizes **techniques and procedures IAW NIST SP 800-88 and Section 5.9: Reuse and Disposal of Storage Media and Hardware** prior to disposal, release out of organizational control, or release for reuse using [Assignment: organization- defined sanitization techniques and procedures] in accordance with applicable federal and organizational standards and policies; and\n b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information."
},
{
"ref": "MP-6 (1)",
"title": "Media Sanitization | Review / Approve / Track / Document / Verify",
"summary": "The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions."
},
{
"ref": "MP-6 (2)",
"title": "Media Sanitization | Equipment Testing",
"summary": "The organization tests sanitization equipment and procedures **at least every six (6) months** to verify that the intended sanitization is being achieved."
},
{
"ref": "MP-6 (3)",
"title": "Media Sanitization | Nondestructive Techniques",
"summary": "The organization applies non-destructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices]."
},
{
"ref": "MP-7",
"title": "Media Use",
"summary": "The organization [Selection: restricts; prohibits] the use of [Assignment: organization- defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards]."
},
{
"ref": "MP-7 (1)",
"title": "Media Use | Prohibit Use Without Owner",
"summary": "The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner."
}
]
},
{
"title": "PHYSICAL AND ENVIRONMENTAL PROTECTION",
"controls": [
{
"ref": "PE-1",
"title": "Physical and Environmental Protection Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and\n b. Reviews and updates the current:\n 1. Physical and environmental protection policy **at least annually**; and\n 2. Physical and environmental protection procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "PE-2",
"title": "Physical Access Authorizations",
"summary": "The organization:\n a. Develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides;\n b. Issues authorization credentials for facility access;\n c. Reviews the access list detailing authorized facility access by individuals **at least every ninety (90) days**; and\n d. Removes individuals from the facility access list when access is no longer required."
},
{
"ref": "PE-3",
"title": "Physical Access Control",
"summary": "The organization:\n a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by;\n 1. Verifying individual access authorizations before granting access to the facility; and\n 2. Controlling ingress/egress to the facility using [Selection (one or more): **CSP defined physical access control systems/devices AND guards**; guards];\n b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points];\n c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible;\n d. Escorts visitors and monitors visitor activity **in all circumstances within restricted access area where the information system resides**;\n e. Secures keys, combinations, and other physical access devices;\n f. Inventories **at least annually** every [Assignment: organization-defined frequency]; and\n g. Changes combinations and keys **at least annually** and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated."
},
{
"ref": "PE-3 (1)",
"title": "Physical Access Control | Information System Access",
"summary": "The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system]."
},
{
"ref": "PE-4",
"title": "Access Control for Transmission Medium",
"summary": "The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards]."
},
{
"ref": "PE-5",
"title": "Access Control for Output Devices",
"summary": "The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output."
},
{
"ref": "PE-6",
"title": "Monitoring Physical Access",
"summary": "The organization:\n a. Monitors physical access to the facility where the information system resides to detect and respond to physical security incidents;\n b. Reviews physical access logs **at least monthly** and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and\n c. Coordinates results of reviews and investigations with the organizational incident response capability."
},
{
"ref": "PE-6 (1)",
"title": "Monitoring Physical Access | Intrusion Alarms / Surveillance Equipment",
"summary": "The organization monitors physical intrusion alarms and surveillance equipment."
},
{
"ref": "PE-6 (4)",
"title": "Monitoring Physical Access | Monitoring Physical Access To Information Systems",
"summary": "The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system]."
},
{
"ref": "PE-8",
"title": "Visitor Access Records",
"summary": "The organization:\n a. Maintains visitor access records to the facility where the information system resides for **for a minimum of one (1) year**; and\n b. Reviews visitor access records **at least monthly**."
},
{
"ref": "PE-8 (1)",
"title": "Visitor Access Records | Automated Records Maintenance / Review",
"summary": "The organization employs automated mechanisms to facilitate the maintenance and review of visitor access records."
},
{
"ref": "PE-9",
"title": "Power Equipment and Cabling",
"summary": "The organization protects power equipment and power cabling for the information system from damage and destruction."
},
{
"ref": "PE-10",
"title": "Emergency Shutoff",
"summary": "The organization:\n a. Provides the capability of shutting off power to the information system or individual system components in emergency situations;\n b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel; and\n c. Protects emergency power shutoff capability from unauthorized activation."
},
{
"ref": "PE-11",
"title": "Emergency Power",
"summary": "The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss."
},
{
"ref": "PE-11 (1)",
"title": "Emergency Power | Long-Term Alternate Power Supply - Minimal Operational Capability",
"summary": "The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source."
},
{
"ref": "PE-12",
"title": "Emergency Lighting",
"summary": "The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility."
},
{
"ref": "PE-13",
"title": "Fire Protection",
"summary": "The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source."
},
{
"ref": "PE-13 (1)",
"title": "Fire Protection | Detection Devices / Systems",
"summary": "The organization employs fire detection devices/systems for the information system that activate automatically and notify **service provider building maintenance/physical security personnel** and **service provider emergency responders with incident response responsibilities** in the event of a fire."
},
{
"ref": "PE-13 (2)",
"title": "Fire Protection | Suppression Devices / Systems",
"summary": "The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders]."
},
{
"ref": "PE-13 (3)",
"title": "Fire Protection | Automatic Fire Suppression",
"summary": "The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis."
},
{
"ref": "PE-14",
"title": "Temperature and Humidity Controls",
"summary": "The organization:\n a. Maintains temperature and humidity levels within the facility where the information system resides at **consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments**; and\n b. Monitors temperature and humidity levels **continuously**."
},
{
"ref": "PE-14 (2)",
"title": "Temperature and Humidity Controls | Monitoring With Alarms / Notifications",
"summary": "The organization employs temperature and humidity monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment."
},
{
"ref": "PE-15",
"title": "Water Damage Protection",
"summary": "The organization protects the information system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel."
},
{
"ref": "PE-15 (1)",
"title": "Water Damage Protection | Automation Support",
"summary": "The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts **service provider building maintenance/physical security personnel**."
},
{
"ref": "PE-16",
"title": "Delivery and Removal",
"summary": "The organization authorizes, monitors, and controls **all information system components** entering and exiting the facility and maintains records of those items."
},
{
"ref": "PE-17",
"title": "Alternate Work Site",
"summary": "The organization:\n a. Employs [Assignment: organization-defined security controls] at alternate work sites;\n b. Assesses as feasible, the effectiveness of security controls at alternate work sites; and\n c. Provides a means for employees to communicate with information security personnel in case of security incidents or problems."
},
{
"ref": "PE-18",
"title": "Location of Information System Components",
"summary": "The organization positions information system components within the facility to minimize potential damage from **physical and environmental hazards identified during threat assessment** and to minimize the opportunity for unauthorized access."
}
]
},
{
"title": "PLANNING",
"controls": [
{
"ref": "PL-1",
"title": "Security Planning Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and\n b. Reviews and updates the current:\n 1. Security planning policy **at least annually**; and\n 2. Security planning procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "PL-2",
"title": "System Security Plan",
"summary": "The organization:\n a. Develops a security plan for the information system that:\n 1. Is consistent with the organization’s enterprise architecture;\n 2. Explicitly defines the authorization boundary for the system;\n 3. Describes the operational context of the information system in terms of missions and business processes;\n 4. Provides the security categorization of the information system including supporting rationale;\n 5. Describes the operational environment for the information system and relationships with or connections to other information systems;\n 6. Provides an overview of the security requirements for the system;\n 7. Identifies any relevant overlays, if applicable;\n 8. Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and\n 9. Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;\n b. Distributes copies of the security plan and communicates subsequent changes to the plan to [Assignment: organization-defined personnel or roles];\n c. Reviews the security plan for the information system **at least annually**;\n d. Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments; and\n e. Protects the security plan from unauthorized disclosure and modification."
},
{
"ref": "PL-2 (3)",
"title": "System Security Plan | Plan / Coordinate With Other Organizational Entities",
"summary": "The organization plans and coordinates security-related activities affecting the information system with [Assignment: organization-defined individuals or groups] before conducting such activities in order to reduce the impact on other organizational entities."
},
{
"ref": "PL-4",
"title": "Rules of Behavior",
"summary": "The organization:\n a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;\n b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;\n c. Reviews and updates the rules of behavior **annually**; and d. Requires individuals who have signed a previous version of the rules of behavior to read and\nresign when the rules of behavior are revised/updated."
},
{
"ref": "PL-4 (1)",
"title": "Rules of Behavior | Social Media and Networking Restrictions",
"summary": "The organization includes in the rules of behavior, explicit restrictions on the use of social media/networking sites and posting organizational information on public websites."
},
{
"ref": "PL-8",
"title": "Information Security Architecture",
"summary": "The organization:\n a. Develops an information security architecture for the information system that:\n 1. Describes the overall philosophy, requirements, and approach to be taken with regard to protecting the confidentiality, integrity, and availability of organizational information;\n 2. Describes how the information security architecture is integrated into and supports the enterprise architecture; and\n 3. Describes any information security assumptions about, and dependencies on, external services;\n b. Reviews and updates the information security architecture **at least annually or when a significant change occurs** to reflect updates in the enterprise architecture; and\n c. Ensures that planned information security architecture changes are reflected in the security plan, the security Concept of Operations (CONOPS), and organizational procurements/acquisitions."
}
]
},
{
"title": "PERSONNEL SECURITY",
"controls": [
{
"ref": "PS-1",
"title": "Personnel Security Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and\n b. Reviews and updates the current:\n 1. Personnel security policy **at least annually**; and\n 2. Personnel security procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "PS-2",
"title": "Position Risk Designation",
"summary": "The organization:\n a. Assigns a risk designation to all organizational positions;\n b. Establishes screening criteria for individuals filling those positions; and\n c. Reviews and updates position risk designations **at least annually**."
},
{
"ref": "PS-3",
"title": "Personnel Screening",
"summary": "The organization:\n a. Screens individuals prior to authorizing access to the information system; and\n b. Rescreens individuals according to [Assignment: organization-defined conditions requiring rescreening and, where rescreening is so indicated, the frequency of such rescreening]."
},
{
"ref": "PS-3 (3)",
"title": "Personnel Screening | Information With Special Protection Measures",
"summary": "The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection:\n (a) Have valid access authorizations that are demonstrated by assigned official government duties; and\n (b) Satisfy [Assignment: organization-defined additional personnel screening criteria]."
},
{
"ref": "PS-4",
"title": "Personnel Termination",
"summary": "The organization, upon termination of individual employment:\n a. Disables information system access within **eight (8) hours**;\n b. Terminates/revokes any authenticators/credentials associated with the individual;\n c. Conducts exit interviews that include a discussion of [Assignment: organization-defined information security topics];\n d. Retrieves all security-related organizational information system-related property;\n e. Retains access to organizational information and information systems formerly controlled by terminated individual; and\n f. Notifies [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period]."
},
{
"ref": "PS-4 (2)",
"title": "Personnel Termination | Automated Notification",
"summary": "The organization employs automated mechanisms to notify **access control personnel responsible for disabling access to the system** upon termination of an individual."
},
{
"ref": "PS-5",
"title": "Personnel Transfer",
"summary": "The organization:\n a. Reviews and confirms ongoing operational need for current logical and physical access authorizations to information systems/facilities when individuals are reassigned or transferred to other positions within the organization;\n b. Initiates **twenty-four (24) hours** within [Assignment: organization-defined time period following the formal transfer action];\n c. Modifies access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and\n d. Notifies **twenty-four (24) hours** within [Assignment: organization-defined time period]."
},
{
"ref": "PS-6",
"title": "Access Agreements",
"summary": "The organization:\n a. Develops and documents access agreements for organizational information systems;\n b. Reviews and updates the access agreements **at least annually**; and\n c. Ensures that individuals requiring access to organizational information and information systems:\n 1. Sign appropriate access agreements prior to being granted access; and\n 2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or **at least annually and any time there is a change to the user's level of access**."
},
{
"ref": "PS-7",
"title": "Third-Party Personnel Security",
"summary": "The organization:\n a. Establishes personnel security requirements including security roles and responsibilities for third-party providers;\n b. Requires third-party providers to comply with personnel security policies and procedures established by the organization;\n c. Documents personnel security requirements;\n d. Requires third-party providers to notify **terminations: immediately; transfers: within twenty-four (24) hours** of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges within [Assignment: organization-defined time period]; and\n e. Monitors provider compliance."
},
{
"ref": "PS-8",
"title": "Personnel Sanctions",
"summary": "The organization:\n a. Employs a formal sanctions process for individuals failing to comply with established information security policies and procedures; and\n b. Notifies **at a minimum, the ISSO and/or similar role within the organization** within [Assignment: organization-defined time period] when a formal employee sanctions process is initiated, identifying the individual sanctioned and the reason for the sanction."
}
]
},
{
"title": "RISK ASSESSMENT",
"controls": [
{
"ref": "RA-1",
"title": "Risk Assessment Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and\n b. Reviews and updates the current:\n 1. Risk assessment policy **at least annually**; and\n 2. Risk assessment procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "RA-2",
"title": "Security Categorization",
"summary": "The organization:\n a. Categorizes information and the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;\n b. Documents the security categorization results (including supporting rationale) in the security plan for the information system; and\n c. Ensures that the security categorization decision is reviewed and approved by the authorizing official or authorizing official designated representative."
},
{
"ref": "RA-3",
"title": "Risk Assessment",
"summary": "The organization:\n a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits;\n b. Documents risk assessment results in [Selection: security plan; risk assessment report; **security assessment report**];\n c. Reviews risk assessment results **at least annually or whenever a significant change occurs**;\n d. Disseminates risk assessment results to [Assignment: organization-defined personnel or roles]; and\n e. Updates the risk assessment **annually** or whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system."
},
{
"ref": "RA-5",
"title": "Vulnerability Scanning",
"summary": "The organization:\n a. Scans for vulnerabilities in the information system and hosted applications **monthly operating system/infrastructure; monthly web applications and databases** and when new vulnerabilities potentially affecting the system/applications are identified and reported;\n b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:\n 1. Enumerating platforms, software flaws, and improper configurations;\n 2. Formatting checklists and test procedures; and\n 3. Measuring vulnerability impact;\n c. Analyzes vulnerability scan reports and results from security control assessments;\n d. Remediates legitimate vulnerabilities **high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180) days from date of discovery**, in accordance with an organizational assessment of risk; and\n e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies)."
},
{
"ref": "RA-5 (1)",
"title": "Vulnerability Scanning | Update Tool Capability",
"summary": "The organization employs vulnerability scanning tools that include the capability to readily update the information system vulnerabilities to be scanned."
},
{
"ref": "RA-5 (2)",
"title": "Vulnerability Scanning | Update By Frequency / Prior To New Scan / When Identified",
"summary": "The organization updates the information system vulnerabilities scanned [Selection (one or more): **prior to a new scan**; prior to a new scan; when new vulnerabilities are identified and reported]."
},
{
"ref": "RA-5 (3)",
"title": "Vulnerability Scanning | Breadth / Depth of Coverage",
"summary": "The organization employs vulnerability scanning procedures that can identify the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked)."
},
{
"ref": "RA-5 (4)",
"title": "Vulnerability Scanning | Discoverable Information",
"summary": "The organization determines what information about the information system is discoverable by adversaries and subsequently takes **notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions**."
},
{
"ref": "RA-5 (5)",
"title": "Vulnerability Scanning | Privileged Access",
"summary": "The information system implements privileged access authorization to **operating systems / web applications / databases** for selected **all scans**."
},
{
"ref": "RA-5 (6)",
"title": "Vulnerability Scanning | Automated Trend Analyses",
"summary": "The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities."
},
{
"ref": "RA-5 (8)",
"title": "Vulnerability Scanning | Review Historic Audit Logs",
"summary": "The organization reviews historic audit logs to determine if a vulnerability identified in the information system has been previously exploited."
},
{
"ref": "RA-5 (10)",
"title": "Vulnerability Scanning | Correlate Scanning Information",
"summary": "The organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors."
}
]
},
{
"title": "SYSTEM AND SERVICES ACQUISITION",
"controls": [
{
"ref": "SA-1",
"title": "System and Services Acquisition Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and\n b. Reviews and updates the current:\n 1. System and services acquisition policy **at least annually**; and\n 2. System and services acquisition procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "SA-2",
"title": "Allocation of Resources",
"summary": "The organization:\n a. Determines information security requirements for the information system or information system service in mission/business process planning;\n b. Determines, documents, and allocates the resources required to protect the information system or information system service as part of its capital planning and investment control process; and\n c. Establishes a discrete line item for information security in organizational programming and budgeting documentation."
},
{
"ref": "SA-3",
"title": "System Development Life Cycle",
"summary": "The organization:\n a. Manages the information system using [Assignment: organization-defined system development life cycle] that incorporates information security considerations;\n b. Defines and documents information security roles and responsibilities throughout the system development life cycle;\n c. Identifies individuals having information security roles and responsibilities; and\n d. Integrates the organizational information security risk management process into system development life cycle activities."
},
{
"ref": "SA-4",
"title": "Acquisition Process",
"summary": "The organization includes the following requirements, descriptions, and criteria, explicitly or by reference, in the acquisition contract for the information system, system component, or information system service in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, guidelines, and organizational mission/business needs:\n a. Security functional requirements;\n b. Security strength requirements;\n c. Security assurance requirements;\n d. Security-related documentation requirements;\n e. Requirements for protecting security-related documentation;\n f. Description of the information system development environment and environment in which the system is intended to operate; and\n g. Acceptance criteria."
},
{
"ref": "SA-4 (1)",
"title": "Acquisition Process | Functional Properties of Security Controls",
"summary": "The organization requires the developer of the information system, system component, or information system service to provide a description of the functional properties of the security controls to be employed."
},
{
"ref": "SA-4 (2)",
"title": "Acquisition Process | Design / Implementation Information for Security Controls",
"summary": "The organization requires the developer of the information system, system component, or information system service to provide design and implementation information for the security controls to be employed that includes: [Selection (one or more): security-relevant external system interfaces; high-level design; low-level design; source code or hardware schematics; **organization-defined design/implementation information]**] at [Assignment: organization-defined level of detail]."
},
{
"ref": "SA-4 (8)",
"title": "Acquisition Process | Continuous Monitoring Plan",
"summary": "The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains **at least the minimum requirement as defined in control CA-7**."
},
{
"ref": "SA-4 (9)",
"title": "Acquisition Process | Functions / Ports / Protocols / Services in Use",
"summary": "The organization requires the developer of the information system, system component, or information system service to identify early in the system development life cycle, the functions, ports, protocols, and services intended for organizational use."
},
{
"ref": "SA-4 (10)",
"title": "Acquisition Process | Use of Approved Piv Products",
"summary": "The organization employs only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational information systems."
},
{
"ref": "SA-5",
"title": "Information System Documentation",
"summary": "The organization:\n a. Obtains administrator documentation for the information system, system component, or information system service that describes:\n 1. Secure configuration, installation, and operation of the system, component, or service;\n 2. Effective use and maintenance of security functions/mechanisms; and\n 3. Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions;\n b. Obtains user documentation for the information system, system component, or information system service that describes:\n 1. User-accessible security functions/mechanisms and how to effectively use those security functions/mechanisms;\n 2. Methods for user interaction, which enables individuals to use the system, component, or service in a more secure manner; and\n 3. User responsibilities in maintaining the security of the system, component, or service;\n c. Documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent and [Assignment: organization-defined actions] in response;\n d. Protects documentation as required, in accordance with the risk management strategy; and e. Distributes documentation to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "SA-8",
"title": "Security Engineering Principles",
"summary": "The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system."
},
{
"ref": "SA-9",
"title": "External Information System Services",
"summary": "The organization:\n a. Requires that providers of external information system services comply with organizational information security requirements and employ **FedRAMP Security Controls Baseline(s) if Federal information is processed or stored within the external system** in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;\n b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and\n c. Employs **Federal/FedRAMP Continuous Monitoring requirements must be met for external systems where Federal information is processed or stored** to monitor security control compliance by external service providers on an ongoing basis."
},
{
"ref": "SA-9 (1)",
"title": "External Information Systems | Risk Assessments / Organizational Approvals",
"summary": "The organization:\n (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and\n (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined personnel or roles]."
},
{
"ref": "SA-9 (2)",
"title": "External Information Systems | Identification of Functions / Ports / Protocols / Services",
"summary": "The organization requires providers of **all external systems where Federal information is processed or stored** to identify the functions, ports, protocols, and other services required for the use of such services."
},
{
"ref": "SA-9 (4)",
"title": "External Information Systems | Consistent Interests of Consumers and Providers",
"summary": "The organization employs **all external systems where Federal information is processed or stored** to ensure that the interests of [Assignment: organization-defined external service providers] are consistent with and reflect organizational interests."
},
{
"ref": "SA-9 (5)",
"title": "External Information Systems | Processing, Storage, and Service Location",
"summary": "The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to **information processing, information data, AND information services** based on [Assignment: organization-defined requirements or conditions]."
},
{
"ref": "SA-10",
"title": "Developer Configuration Management",
"summary": "The organization requires the developer of the information system, system component, or information system service to:\n a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation];\n b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management];\n c. Implement only organization-approved changes to the system, component, or service;\n d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and\n e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel]."
},
{
"ref": "SA-10 (1)",
"title": "Developer Configuration Management | Software / Firmware Integrity Verification",
"summary": "The organization requires the developer of the information system, system component, or information system service to enable integrity verification of software and firmware components."
},
{
"ref": "SA-11",
"title": "Developer Security Testing and Evaluation",
"summary": "The organization requires the developer of the information system, system component, or information system service to:\n a. Create and implement a security assessment plan;\n b. Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage];\n c. Produce evidence of the execution of the security assessment plan and the results of the security testing/evaluation;\n d. Implement a verifiable flaw remediation process; and\n e. Correct flaws identified during security testing/evaluation."
},
{
"ref": "SA-11 (1)",
"title": "Developer Security Testing and Evaluation | Static Code Analysis",
"summary": "The organization requires the developer of the information system, system component, or information system service to employ static code analysis tools to identify common flaws and document the results of the analysis."
},
{
"ref": "SA-11 (2)",
"title": "Developer Security Testing and Evaluation | Threat and Vulnerability Analyses",
"summary": "The organization requires the developer of the information system, system component, or information system service to perform threat and vulnerability analyses and subsequent testing/evaluation of the as-built system, component, or service."
},
{
"ref": "SA-11 (8)",
"title": "Developer Security Testing and Evaluation | Dynamic Code Analysis",
"summary": "The organization requires the developer of the information system, system component, or information system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis."
},
{
"ref": "SA-12",
"title": "Supply Chain Protection",
"summary": "The organization protects against supply chain threats to the information system, system component, or information system service by employing **organization and service provider-defined personnel security requirements, approved HW/SW vendor list/process, and secure SDLC procedures** as part of a comprehensive, defense-in-breadth information security strategy."
},
{
"ref": "SA-15",
"title": "Development Process, Standards, and Tools",
"summary": "The organization:\n a. Requires the developer of the information system, system component, or information system service to follow a documented development process that:\n 1. Explicitly addresses security requirements;\n 2. Identifies the standards and tools used in the development process;\n 3. Documents the specific tool options and tool configurations used in the development process; and\n 4. Documents, manages, and ensures the integrity of changes to the process and/or tools used in development; and\n b. Reviews the development process, standards, tools, and tool options/configurations **as needed and as dictated by the current threat posture** to determine if the process, standards, tools, and tool options/configurations selected and employed can satisfy **organization and service provider- defined security requirements**."
},
{
"ref": "SA-16",
"title": "Developer-Provided Training",
"summary": "The organization requires the developer of the information system, system component, or information system service to provide [Assignment: organization-defined training] on the correct use and operation of the implemented security functions, controls, and/or mechanisms."
},
{
"ref": "SA-17",
"title": "Developer Security Architecture and Design",
"summary": "The organization requires the developer of the information system, system component, or information system service to produce a design specification and security architecture that:\n a. Is consistent with and supportive of the organization’s security architecture which is established within and is an integrated part of the organization’s enterprise architecture;\n b. Accurately and completely describes the required security functionality, and the allocation of security controls among physical and logical components; and\n c. Expresses how individual security functions, mechanisms, and services work together to provide required security capabilities and a unified approach to protection."
}
]
},
{
"title": "SYSTEM AND COMMUNICATIONS PROTECTION",
"controls": [
{
"ref": "SC-1",
"title": "System and Communications Protection Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and\n b. Reviews and updates the current:\n 1. System and communications protection policy **at least annually**; and\n 2. System and communications protection procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "SC-2",
"title": "Application Partitioning",
"summary": "The information system separates user functionality (including user interface services) from information system management functionality."
},
{
"ref": "SC-3",
"title": "Security Function Isolation",
"summary": "The information system isolates security functions from nonsecurity functions."
},
{
"ref": "SC-4",
"title": "Information in Shared Resources",
"summary": "The information system prevents unauthorized and unintended information transfer via shared system resources."
},
{
"ref": "SC-5",
"title": "Denial of Service Protection",
"summary": "The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined types of denial of service attacks or reference to source for such information] by employing [Assignment: organization-defined security safeguards]."
},
{
"ref": "SC-6",
"title": "Resource Availability",
"summary": "The information system protects the availability of resources by allocating [Assignment: organization-defined resources] by [Selection (one or more); priority; quota; [Assignment: organization-defined security safeguards]]."
},
{
"ref": "SC-7",
"title": "Boundary Protection",
"summary": "The information system:\n a. Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system;\n b. Implements subnetworks for publicly accessible system components that are [Selection: physically; logically] separated from internal organizational networks; and\n c. Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture."
},
{
"ref": "SC-7 (3)",
"title": "Boundary Protection | Access Points",
"summary": "The organization limits the number of external network connections to the information system."
},
{
"ref": "SC-7 (4)",
"title": "Boundary Protection | External Telecommunications Services",
"summary": "The organization:\n (a) Implements a managed interface for each external telecommunication service; \n (b) Establishes a traffic flow policy for each managed interface;\n (c) Protects the confidentiality and integrity of the information being transmitted across each interface;\n (d) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need; and\n (e) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency] and removes exceptions that are no longer supported by an explicit mission/business need."
},
{
"ref": "SC-7 (5)",
"title": "Boundary Protection | Deny By Default / Allow By Exception",
"summary": "The information system at managed interfaces denies network communications traffic by default and allows network communications traffic by exception (i.e., deny all, permit by exception)."
},
{
"ref": "SC-7 (7)",
"title": "Boundary Protection | Prevent Split Tunneling for Remote Devices",
"summary": "The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks."
},
{
"ref": "SC-7 (8)",
"title": "Boundary Protection | Route Traffic To Authenticated Proxy Servers",
"summary": "The information system routes [Assignment: organization-defined internal communications traffic] to [Assignment: organization-defined external networks] through authenticated proxy servers at managed interfaces."
},
{
"ref": "SC-7 (10)",
"title": "Boundary Protection | Prevent Unauthorized Exfiltration",
"summary": "The organization prevents the unauthorized exfiltration of information across managed interfaces."
},
{
"ref": "SC-7 (12)",
"title": "Boundary Protection | Host-Based Protection",
"summary": "The organization implements **Host Intrusion Prevention System (HIPS), Host Intrusion Detection System (HIDS), or minimally a host-based firewall** at [Assignment: organization-defined information system components]."
},
{
"ref": "SC-7 (13)",
"title": "Boundary Protection | Isolation of Security Tools / Mechanisms / Support Components",
"summary": "The organization isolates [Assignment: organization-defined information security tools, mechanisms, and support components] from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system."
},
{
"ref": "SC-7 (18)",
"title": "Boundary Protection | Fail Secure",
"summary": "The information system fails securely in the event of an operational failure of a boundary protection device."
},
{
"ref": "SC-7 (20)",
"title": "Boundary Protection | Dynamic Isolation / Segregation",
"summary": "The information system provides the capability to dynamically isolate/segregate [Assignment: organization-defined information system components] from other components of the system."
},
{
"ref": "SC-7 (21)",
"title": "Boundary Protection | Isolation of Information System Components",
"summary": "The organization employs boundary protection mechanisms to separate [Assignment: organization-defined information system components] supporting [Assignment: organization- defined missions and/or business functions]."
},
{
"ref": "SC-8",
"title": "Transmission Confidentiality and Integrity",
"summary": "The information system protects the [Selection (one or more): confidentiality; integrity] of transmitted information."
},
{
"ref": "SC-8 (1)",
"title": "Transmission Confidentiality and Integrity | Cryptographic or Alternate Physical Protection",
"summary": "The information system implements cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission unless otherwise protected by **prevent unauthorized disclosure of information AND detect changes to information**."
},
{
"ref": "SC-10",
"title": "Network Disconnect",
"summary": "The information system terminates the network connection associated with a communications session at the end of the session or after **no longer than ten (10) minutes for privileged sessions and no longer than fifteen (15) minutes for user sessions** of inactivity."
},
{
"ref": "SC-12",
"title": "Cryptographic Key Establishment and Management",
"summary": "The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]."
},
{
"ref": "SC-12 (1)",
"title": "Cryptographic Key Establishment and Management | Availability",
"summary": "The organization maintains availability of information in the event of the loss of cryptographic keys by users."
},
{
"ref": "SC-12 (2)",
"title": "Cryptographic Key Establishment and Management | Symmetric Keys",
"summary": "The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST FIPS-compliant; NSA-approved] key management technology and processes."
},
{
"ref": "SC-12 (3)",
"title": "Cryptographic Key Establishment and Management | Asymmetric Keys",
"summary": "The organization produces, controls, and distributes asymmetric cryptographic keys using [Selection: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user’s private key]."
},
{
"ref": "SC-13",
"title": "Cryptographic Protection",
"summary": "The information system implements **FIPS-validated or NSA-approved cryptography** in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards."
},
{
"ref": "SC-15",
"title": "Collaborative Computing Devices",
"summary": "The information system:\n a. Prohibits remote activation of collaborative computing devices with the following exceptions: **no exceptions**; and\n b. Provides an explicit indication of use to users physically present at the devices."
},
{
"ref": "SC-17",
"title": "Public Key Infrastructure Certificates",
"summary": "The organization issues public key certificates under an [Assignment: organization- defined certificate policy] or obtains public key certificates from an approved service provider."
},
{
"ref": "SC-18",
"title": "Mobile Code",
"summary": "The organization:\n a. Defines acceptable and unacceptable mobile code and mobile code technologies;\n b. Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and\n c. Authorizes, monitors, and controls the use of mobile code within the information system."
},
{
"ref": "SC-19",
"title": "Voice Over Internet Protocol",
"summary": "The organization:\n a. Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and\n b. Authorizes, monitors, and controls the use of VoIP within the information system."
},
{
"ref": "SC-20",
"title": "Secure Name /Address Resolution Service (Authoritative Source)",
"summary": "The information system:\n a. Provides additional data origin and integrity artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and\n b. Provides the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace."
},
{
"ref": "SC-21",
"title": "Secure Name /Address Resolution Service (Recursive or Caching Resolver)",
"summary": "The information system requests and performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources."
},
{
"ref": "SC-22",
"title": "Architecture and Provisioning for Name/Address Resolution Service",
"summary": "The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation."
},
{
"ref": "SC-23",
"title": "Session Authenticity",
"summary": "The information system protects the authenticity of communications sessions."
},
{
"ref": "SC-23 (1)",
"title": "Session Authenticity | Invalidate Session Identifiers At Logout",
"summary": "The information system invalidates session identifiers upon user logout or other session termination."
},
{
"ref": "SC-24",
"title": "Fail in Known State",
"summary": "The information system fails to a [Assignment: organization-defined known-state] for [Assignment: organization-defined types of failures] preserving [Assignment: organization-defined system state information] in failure."
},
{
"ref": "SC-28",
"title": "Protection of Information At Rest",
"summary": "The information system protects the [Selection (one or more): confidentiality; integrity] of **confidentiality AND integrity**."
},
{
"ref": "SC-28 (1)",
"title": "Protection of Information At Rest | Cryptographic Protection",
"summary": "The information system implements cryptographic mechanisms to prevent unauthorized disclosure and modification of **all information system components storing customer data deemed sensitive** on [Assignment: organization-defined information system components]."
},
{
"ref": "SC-39",
"title": "Process Isolation",
"summary": "The information system maintains a separate execution domain for each executing process."
}
]
},
{
"title": "SYSTEM AND INFORMATION INTEGRITY",
"controls": [
{
"ref": "SI-1",
"title": "System and Information Integrity Policy and Procedures",
"summary": "The organization:\n a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:\n 1. A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and\n 2. Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and\n b. Reviews and updates the current:\n 1. System and information integrity policy **at least annually**; and\n 2. System and information integrity procedures **at least annually or whenever a significant change occurs**."
},
{
"ref": "SI-2",
"title": "Flaw Remediation",
"summary": "The organization:\na. Identifies, reports, and corrects information system flaws;\nb. Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;\nc. Installs security-relevant software and firmware updates within **thirty (30) days of release of updates** of the release of the updates; and\nd. Incorporates flaw remediation into the organizational configuration management process."
},
{
"ref": "SI-2 (1)",
"title": "Flaw Remediation | Central Management",
"summary": "The organization centrally manages the flaw remediation process."
},
{
"ref": "SI-2 (2)",
"title": "Flaw Remediation | Automated Flaw Remediation Status",
"summary": "The organization employs automated mechanisms **at least monthly** to determine the state of information system components with regard to flaw remediation."
},
{
"ref": "SI-2 (3)",
"title": "Flaw Remediation | Time To Remediate Flaws / Benchmarks for Corrective Actions",
"summary": "The organization:\n (a) Measures the time between flaw identification and flaw remediation; and\n (b) Establishes [Assignment: organization-defined benchmarks] for taking corrective actions."
},
{
"ref": "SI-3",
"title": "Malicious Code Protection",
"summary": "The organization:\n a. Employs malicious code protection mechanisms at information system entry and exit points to detect and eradicate malicious code;\n b. Updates malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures;\n c. Configures malicious code protection mechanisms to:\n 1. Perform periodic scans of the information system **at least weekly** and real-time scans of files from external sources at [Selection (one or more); endpoint; network entry/exit points] as the files are downloaded, opened, or executed in accordance with organizational security policy; and\n 2. [Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action, **to include blocking and quarantining malicious code and alerting administrator or defined security personnel near-realtime**]] in response to malicious code detection; and\n d. Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system."
},
{
"ref": "SI-3 (1)",
"title": "Malicious Code Protection | Central Management",
"summary": "The organization centrally manages malicious code protection mechanisms."
},
{
"ref": "SI-3 (2)",
"title": "Malicious Code Protection | Automatic Updates",
"summary": "The information system automatically updates malicious code protection mechanisms."
},
{
"ref": "SI-3 (7)",
"title": "Malicious Code Protection | Nonsignature-Based Detection",
"summary": "The information system implements nonsignature-based malicious code detection mechanisms."
},
{
"ref": "SI-4",
"title": "Information System Monitoring",
"summary": "The organization:\n a. Monitors the information system to detect:\n 1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and\n 2. Unauthorized local, network, and remote connections;\n b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods];\n c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;\n d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;\n e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;\n f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and\n g. Provides [Assignment: or ganization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]]."
},
{
"ref": "SI-4 (1)",
"title": "Information System Monitoring | System-Wide Intrusion Detection System",
"summary": "The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system."
},
{
"ref": "SI-4 (2)",
"title": "Information System Monitoring | Automated Tools for Real-Time Analysis",
"summary": "The organization employs automated tools to support near real-time analysis of events."
},
{
"ref": "SI-4 (4)",
"title": "Information System Monitoring | Inbound and Outbound Communications Traffic",
"summary": "The information system monitors inbound and outbound communications traffic **continuously** for unusual or unauthorized activities or conditions."
},
{
"ref": "SI-4 (5)",
"title": "Information System Monitoring | System-Generated Alerts",
"summary": "The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization- defined compromise indicators]."
},
{
"ref": "SI-4 (11)",
"title": "Information System Monitoring | Analyze Communications Traffic Anomalies",
"summary": "The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies."
},
{
"ref": "SI-4 (14)",
"title": "Information System Monitoring | Wireless Intrusion Detection",
"summary": "The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system."
},
{
"ref": "SI-4 (16)",
"title": "Information System Monitoring | Correlate Monitoring Information",
"summary": "The organization correlates information from monitoring tools employed throughout the information system."
},
{
"ref": "SI-4 (18)",
"title": "Information System Monitoring | Analyze Traffic / Covert Exfiltration",
"summary": "The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information."
},
{
"ref": "SI-4 (19)",
"title": "Information System Monitoring | Individuals Posing Greater Risk",
"summary": "The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk."
},
{
"ref": "SI-4 (20)",
"title": "Information System Monitoring | Privileged User",
"summary": "The organization implements [Assignment: organization-defined additional monitoring] of privileged users."
},
{
"ref": "SI-4 (22)",
"title": "Information System Monitoring | Unauthorized Network Services",
"summary": "The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]]."
},
{
"ref": "SI-4 (23)",
"title": "Information System Monitoring | Host-Based Devices",
"summary": "The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components]."
},
{
"ref": "SI-4 (24)",
"title": "Information System Monitoring | Indicators of Compromise",
"summary": "The information system discovers, collects, distributes, and uses indicators of compromise."
},
{
"ref": "SI-5",
"title": "Security Alerts, Advisories, and Directives",
"summary": "The organization:\n a. Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations, **to include US-CERT**] on an ongoing basis;\n b. Generates internal security alerts, advisories, and directives as deemed necessary;\n c. Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles, **to include system security personnel and administrators with configuration/patch-management responsibilities**]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]]; and\n d. Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance."
},
{
"ref": "SI-5 (1)",
"title": "Security Alerts, Advisories, and Directives | Automated Alerts and Advisories",
"summary": "The organization employs automated mechanisms to make security alert and advisory information available throughout the organization."
},
{
"ref": "SI-6",
"title": "Security Function Verification",
"summary": "The information system:\n a. Verifies the correct operation of [Assignment: organization-defined security functions];\n b. Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states, **to include upon system startup and/or restart and at least monthly**]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]];\n c. Notifies [Assignment: organization-defined personnel or roles, **to include system administrators and security personnel**] of failed security verification tests; and\n d. [Selection (one or more): shuts the information system down; restarts the information system; [Assignment: organization-defined alternative action(s), **to include notification of system administrators and security personnel**]] when anomalies are discovered."
},
{
"ref": "SI-7",
"title": "Software, Firmware, and Information Integrity",
"summary": "The organization employs integrity verification tools to detect unauthorized changes to [Assignment: organization-defined software, firmware, and information]."
},
{
"ref": "SI-7 (1)",
"title": "Software, Firmware, and Information Integrity | Integrity Checks",
"summary": "The information system performs an integrity check of [Assignment: organization-defined software, firmware, and information] [Selection (one or more): at startup; at [Assignment: organization-defined transitional states or security-relevant events, **selection to include security relevant events**]; **at least monthly**]."
},
{
"ref": "SI-7 (2)",
"title": "Software, Firmware, and Information Integrity | Automated Notifications of Integrity Violations",
"summary": "The organization employs automated tools that provide notification to [Assignment: organization- defined personnel or roles] upon discovering discrepancies during integrity verification."
},
{
"ref": "SI-7 (5)",
"title": "Software, Firmware, and Information Integrity | Automated Response To Integrity Violations",
"summary": "The information system automatically [Selection (one or more): shuts the information system down; restarts the information system; implements [Assignment: organization-defined security safeguards]] when integrity violations are discovered."
},
{
"ref": "SI-7 (7)",
"title": "Software, Firmware, and Information Integrity | Integration of Detection and Response",
"summary": "The organization incorporates the detection of unauthorized [Assignment: organization-defined security-relevant changes to the information system] into the organizational incident response capability."
},
{
"ref": "SI-7 (14)",
"title": "Software, Firmware, and Information Integrity | Binary or Machine Executable Code",
"summary": "The organization:\n (a) Prohibits the use of binary or machine-executable code from sources with limited or no warranty and without the provision of source code; and\n (b) Provides exceptions to the source code requirement only for compelling mission/operational requirements and with the approval of the authorizing official."
},
{
"ref": "SI-8",
"title": "Spam Protection",
"summary": "The organization:\n a. Employs spam protection mechanisms at information system entry and exit points to detect and take action on unsolicited messages; and\n b. Updates spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures."
},
{
"ref": "SI-8 (1)",
"title": "Spam Protection | Central Management",
"summary": "The organization centrally manages spam protection mechanisms."
},
{
"ref": "SI-8 (2)",
"title": "Spam Protection | Automatic Updates",
"summary": "The information system automatically updates spam protection mechanisms."
},
{
"ref": "SI-10",
"title": "Information Input Validation",
"summary": "The information system checks the validity of [Assignment: organization-defined information inputs]."
},
{
"ref": "SI-11",
"title": "Error Handling",
"summary": "The information system:\n a. Generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries; and\n b. Reveals error messages only to [Assignment: organization-defined personnel or roles]."
},
{
"ref": "SI-12",
"title": "Information Handling and Retention",
"summary": "The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements."
},
{
"ref": "SI-16",
"title": "Memory Protection",
"summary": "The information system implements [Assignment: organization-defined security safeguards] to protect its memory from unauthorized code execution."
}
]
}
]
}
You can’t perform that action at this time.