Develop, document, and disseminate to [assignment]: [assignment] access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational
Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require [assignment] for group and role membership; Specify: Authorize
Support the management of system accounts using [assignment].
Automatically [assignment] temporary and emergency accounts after [assignment].
Disable accounts within [assignment] when the accounts: Have expired; Are no longer associated with a user or individual; Are in violation of organizational policy; or Have been inactive for [assignme
Automatically audit account creation, modification, enabling, disabling, and removal actions.
Require that users log out when [assignment].
Implement [assignment].
Establish and administer privileged user accounts in accordance with [assignment]; Monitor privileged role or attribute assignments; Monitor changes to roles or attributes; and Revoke access when priv
Create, activate, manage, and deactivate [assignment] dynamically.
Only permit the use of shared and group accounts that meet [assignment].
Enforce [assignment] for [assignment].
Monitor system accounts for [assignment] ; and Report atypical usage of system accounts to [assignment].
Disable accounts of individuals within [assignment] of discovery of [assignment].
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Enforce dual authorization for [assignment].
Enforce [assignment] over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specif
Enforce [assignment] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more
Prevent access to [assignment] except during secure, non-operable system states.
Enforce a role-based access control policy over defined subjects and objects and control access based upon [assignment].
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [assignment].
Release information outside of the system only if: The receiving [assignment] provides [assignment] ; and [assignment] are used to validate the appropriateness of the information designated for releas
Employ an audited override of automated access control mechanisms under [assignment] by [assignment].
Restrict access to data repositories containing [assignment].
Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [assignment]; Provide an enforcement mechanism to prevent una
Enforce attribute-based access control policy over defined subjects and objects and control access based upon [assignment].
Provide [assignment] to enable individuals to have access to the following elements of their personally identifiable information: [assignment].
Enforce [assignment] over the set of covered subjects and objects specified in the policy; and Enforce [assignment] over the set of covered subjects and objects specified in the policy.
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [assignment].
Use [assignment] associated with [assignment] to enforce [assignment] as a basis for flow control decisions.
Use protected processing domains to enforce [assignment] as a basis for flow control decisions.
Enforce [assignment].
Prevent encrypted information from bypassing [assignment] by [assignment].
Enforce [assignment] on embedding data types within other data types.
Enforce information flow control based on [assignment].
Enforce one-way information flows through hardware-based flow control mechanisms.
Enforce information flow control using [assignment] as a basis for flow control decisions for [assignment] ; and [assignment] data after a filter processing failure in accordance with [assignment].
Enforce the use of human reviews for [assignment] under the following conditions: [assignment].
Provide the capability for privileged administrators to enable and disable [assignment] under the following conditions: [assignment].
Provide the capability for privileged administrators to configure [assignment] to support different security or privacy policies.
When transferring information between different security domains, use [assignment] to validate data essential for information flow decisions.
When transferring information between different security domains, decompose information into [assignment] for submission to policy enforcement mechanisms.
When transferring information between different security domains, implement [assignment] requiring fully enumerated formats that restrict data structure and content.
When transferring information between different security domains, examine the information for the presence of [assignment] and prohibit the transfer of such information in accordance with the [assignm
Uniquely identify and authenticate source and destination points by [assignment] for information transfer.
When transferring information between different security domains, implement [assignment] on metadata.
Employ [assignment] to control the flow of [assignment] across security domains.
Separate information flows logically or physically using [assignment] to accomplish [assignment].
Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security doma
When transferring information between different security domains, modify non-releasable information by implementing [assignment].
When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.
When transferring information between different security domains, sanitize data to minimize [assignment] in accordance with [assignment].
When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.
When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.
When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.
When transferring information between different security domains, employ content filter orchestration engines to ensure that: Content filtering mechanisms successfully complete execution without error
When transferring information between different security domains, implement content filtering mechanisms using multiple processes.
When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.
When transferring information between different security domains, the process that transfers information between filter pipelines: Does not filter message content; Validates filtering metadata; Ensure
Identify and document [assignment] ; and Define system access authorizations to support separation of duties.
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
Authorize access for [assignment] to: [assignment] ; and [assignment].
Require that users of system accounts (or roles) with access to [assignment] use non-privileged accounts or roles, when accessing nonsecurity functions.
Authorize network access to [assignment] only for [assignment] and document the rationale for such access in the security plan for the system.
Provide separate processing domains to enable finer-grained allocation of user privileges.
Restrict privileged accounts on the system to [assignment].
Prohibit privileged access to the system by non-organizational users.
Review [assignment] the privileges assigned to [assignment] to validate the need for such privileges; and Reassign or remove privileges, if necessary, to correctly reflect organizational mission and b
Prevent the following software from executing at higher privilege levels than users executing the software: [assignment].
Log the execution of privileged functions.
Prevent non-privileged users from executing privileged functions.
Enforce a limit of [assignment] consecutive invalid logon attempts by a user during a [assignment] ; and Automatically [assignment] when the maximum number of unsuccessful attempts is exceeded.
Purge or wipe information from [assignment] based on [assignment] after [assignment] consecutive, unsuccessful device logon attempts.
Limit the number of unsuccessful biometric logon attempts to [assignment].
Allow the use of [assignment] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and Enforce a l
Display [assignment] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, stan
Notify the user, upon successful logon to the system, of the date and time of the last logon.
Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.
Notify the user, upon successful logon, of the number of [assignment] during [assignment].
Notify the user, upon successful logon, of changes to [assignment] during [assignment].
Notify the user, upon successful logon, of the following additional information: [assignment].
Limit the number of concurrent sessions for each [assignment] to [assignment].
Prevent further access to the system by [assignment] ; and Retain the device lock until the user reestablishes access using established identification and authentication procedures.
Conceal, via the device lock, information previously visible on the display with a publicly viewable image.
Automatically terminate a user session after [assignment].
Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [assignment].
Display an explicit logout message to users indicating the termination of authenticated communications sessions.
Display an explicit message to users indicating that the session will end in [assignment].
Identify [assignment] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting ra
Provide the means to associate [assignment] with [assignment] for information in storage, in process, and/or in transmission; Ensure that the attribute associations are made and retained with the info
Dynamically associate security and privacy attributes with [assignment] in accordance with the following security and privacy policies as information is created and combined: [assignment].
Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.
Maintain the association and integrity of [assignment] to [assignment].
Provide the capability to associate [assignment] with [assignment] by authorized individuals (or processes acting on behalf of individuals).
Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [assignment] using [assignment].
Require personnel to associate and maintain the association of [assignment] with [assignment] in accordance with [assignment].
Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.
Implement [assignment] in associating security and privacy attributes to information.
Change security and privacy attributes associated with information only via regrading mechanisms validated using [assignment].
Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.
Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorize each type of remote access to the sy
Employ automated mechanisms to monitor and control remote access methods.
Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.
Route remote accesses through authorized and managed network access control points.
Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [assignment
Protect information about remote access mechanisms from unauthorized use and disclosure.
Provide the capability to disconnect or disable remote access to the system within [assignment].
Implement [assignment] to authenticate [assignment].
Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and Authorize each type of wireless access to the system prior to allowing
Protect wireless access to the system using authentication of [assignment] and encryption.
Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.
Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.
Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official;
Employ [assignment] to protect the confidentiality and integrity of information on [assignment].
[assignment] , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: Access the syste
Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after: Verification of the implementation of con
Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [assignment].
Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [assignment].
Prohibit the use of [assignment] in external systems.
Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.
Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [assignment] ; and Employ [assignment] to assis
Employ [assignment] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.
Implement information search and retrieval services that enforce [assignment].
Designate individuals authorized to make information publicly accessible; Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Review the
Employ [assignment] for [assignment] to detect and protect against unauthorized data mining.
[assignment] to ensure [assignment] are applied to each access request prior to access enforcement.
Transmit [assignment] using [assignment] to [assignment] that enforce access control decisions.
Enforce access control decisions based on [assignment] that do not include the identity of the user or process acting on behalf of the user.
Implement a reference monitor for [assignment] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
Develop, document, and disseminate to [assignment]: [assignment] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organi
Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): As part of initial training for new users and [assignment] thereafter; and When
Provide practical exercises in literacy training that simulate events and incidents.
Provide literacy training on recognizing and reporting potential indicators of insider threat.
Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.
Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [assignment].
Provide literacy training on the advanced persistent threat.
Provide literacy training on the cyber threat environment; and Reflect current cyber threat information in system operations.
Provide role-based security and privacy training to personnel with the following roles and responsibilities: [assignment]: Before authorizing access to the system, information, or performing assigned
Provide [assignment] with initial and [assignment] training in the employment and operation of environmental controls.
Provide [assignment] with initial and [assignment] training in the employment and operation of physical security controls.
Provide practical exercises in security and privacy training that reinforce training objectives.
Provide [assignment] with initial and [assignment] training in the employment and operation of personally identifiable information processing and transparency controls.
Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and Retain individua
Provide feedback on organizational training results to the following personnel [assignment]: [assignment].
Develop, document, and disseminate to [assignment]: [assignment] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among orga
Identify the types of events that the system is capable of logging in support of the audit function: [assignment]; Coordinate the event logging function with other organizational entities requiring au
Ensure that audit records contain information that establishes the following: What type of event occurred; When the event occurred; Where the event occurred; Source of the event; Outcome of the event;
Generate audit records containing the following additional information: [assignment].
Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [assignment].
Allocate audit log storage capacity to accommodate [assignment].
Transfer audit logs [assignment] to a different system, system component, or media other than the system or system component conducting the logging.
Alert [assignment] within [assignment] in the event of an audit logging process failure; and Take the following additional actions: [assignment].
Provide a warning to [assignment] within [assignment] when allocated audit log storage volume reaches [assignment] of repository maximum audit log storage capacity.
Provide an alert within [assignment] to [assignment] when the following audit failure events occur: [assignment].
Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [assignment] network traffic above those thresholds.
Invoke a [assignment] in the event of [assignment] , unless an alternate audit logging capability exists.
Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [assignment].
Review and analyze system audit records [assignment] for indications of [assignment] and the potential impact of the inappropriate or unusual activity; Report findings to [assignment] ; and Adjust the
Integrate audit record review, analysis, and reporting processes using [assignment].
Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.
Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.
Integrate analysis of audit records with analysis of [assignment] to further enhance the ability to identify inappropriate or unusual activity.
Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity
Specify the permitted actions for each [assignment] associated with the review, analysis, and reporting of audit record information.
Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.
Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.
Provide and implement an audit record reduction and report generation capability that: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of
Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [assignment].
Use internal system clocks to generate time stamps for audit records; and Record time stamps for audit records that meet [assignment] and that use Coordinated Universal Time, have a fixed local time o
Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and Alert [assignment] upon detection of unauthorized access, modification, or deletion of audit
Write audit trails to hardware-enforced, write-once media.
Store audit records [assignment] in a repository that is part of a physically different system or system component than the system or component being audited.
Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.
Authorize access to management of audit logging functionality to only [assignment].
Enforce dual authorization for [assignment] of [assignment].
Authorize read-only access to audit information to [assignment].
Store audit information on a component running a different operating system than the system or component being audited.
Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [assignment].
Bind the identity of the information producer with the information to [assignment] ; and Provide the means for authorized individuals to determine the identity of the producer of the information.
Validate the binding of the information producer identity to the information at [assignment] ; and Perform [assignment] in the event of a validation error.
Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.
Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [assignment] ; and Perform [assignment] in the event
Retain audit records for [assignment] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.
Employ [assignment] to ensure that long-term audit records generated by the system can be retrieved.
Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [assignment]; Allow [assignment] to select the event types that a
Compile audit records from [assignment] into a system-wide (logical or physical) audit trail that is time-correlated to within [assignment].
Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.
Provide and implement the capability for [assignment] to change the logging to be performed on [assignment] based on [assignment] within [assignment].
Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.
Monitor [assignment] [assignment] for evidence of unauthorized disclosure of organizational information; and If an information disclosure is discovered: Notify [assignment] ; and Take the following ad
Monitor open-source information and information sites using [assignment].
Review the list of open-source information sites being monitored [assignment].
Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.
Provide and implement the capability for [assignment] to [assignment] the content of a user session under [assignment] ; and Develop, integrate, and use session auditing activities in consultation wit
Initiate session audits automatically at system start-up.
Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.
Employ [assignment] for coordinating [assignment] among external organizations when audit information is transmitted across organizational boundaries.
Preserve the identity of individuals in cross-organizational audit trails.
Provide cross-organizational audit information to [assignment] based on [assignment].
Implement [assignment] to disassociate individuals from audit information transmitted across organizational boundaries.
Develop, document, and disseminate to [assignment]: [assignment] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordi
Select the appropriate assessor or assessment team for the type of assessment to be conducted; Develop a control assessment plan that describes the scope of the assessment including: Controls and cont
Employ independent assessors or assessment teams to conduct control assessments.
Include as part of control assessments, [assignment], [assignment], [assignment].
Leverage the results of control assessments performed by [assignment] on [assignment] when the assessment meets [assignment].
Approve and manage the exchange of information between the system and other systems using [assignment]; Document, as part of each exchange agreement, the interface characteristics, security and privac
Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.
Identify transitive (downstream) information exchanges with other systems through the systems identified in [CA-3a](#ca-3_smt.a) ; and Take measures to ensure that transitive (downstream) information
Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls
Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [assignment].
Assign a senior official as the authorizing official for the system; Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems; Ensur
Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.
Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the follo
Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.
Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modif
Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: Effectiveness monitoring; Compliance monitoring; and Change monitoring.
Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [assignment].
Ensure the accuracy, currency, and availability of monitoring results for the system using [assignment].
Conduct penetration testing [assignment] on [assignment].
Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.
Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [assignment].
Employ a penetration testing process that includes [assignment] [assignment] attempts to bypass or circumvent controls associated with physical access points to the facility.
Authorize internal connections of [assignment] to the system; Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the informatio
Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.
Develop, document, and disseminate to [assignment]: [assignment] configuration management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among orga
Develop, document, and maintain under configuration control, a current baseline configuration of the system; and Review and update the baseline configuration of the system: [assignment]; When required
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [assignment].
Retain [assignment] of previous versions of baseline configurations of the system to support rollback.
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
Issue [assignment] with [assignment] to individuals traveling to locations that the organization deems to be of significant risk; and Apply the following controls to the systems or components when the
Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with
Use [assignment] to: Document proposed changes to the system; Notify [assignment] of proposed changes to the system and request change approval; Highlight proposed changes to the system that have not
Test, validate, and document changes to the system before finalizing the implementation of the changes.
Implement changes to the current system baseline and deploy the updated baseline across the installed base using [assignment].
Require [assignment] to be members of the [assignment].
Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [assignment].
Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [assignment].
Review changes to the system [assignment] or when [assignment] to determine whether unauthorized changes have occurred.
Prevent or restrict changes to the configuration of the system under the following circumstances: [assignment].
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or
After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
Enforce access restrictions using [assignment] ; and Automatically generate audit records of the enforcement actions.
Enforce dual authorization for implementing changes to [assignment].
Limit privileges to change system components and system-related information within a production or operational environment; and Review and reevaluate privileges [assignment].
Limit privileges to change software resident within software libraries.
Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [assignment]; Implement th
Manage, apply, and verify configuration settings for [assignment] using [assignment].
Take the following actions in response to unauthorized changes to [assignment]: [assignment].
Configure the system to provide only [assignment] ; and Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [assignment].
Review the system [assignment] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and Disable or remove [assignment].
Prevent program execution in accordance with [assignment].
Ensure compliance with [assignment].
Identify [assignment]; Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and Review and update the list of unauthorized software
Identify [assignment]; Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and Review and update the list of authorized software program
Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [assignment].
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [assignment] when such code is: Obtained from sources w
Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and Allow exceptions only for compelling mission or operational
Identify [assignment]; Prohibit the use or connection of unauthorized hardware components; Review and update the list of authorized hardware components [assignment].
Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or component
Update the inventory of system components as part of component installations, removals, and system updates.
Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [assignment].
Detect the presence of unauthorized hardware, software, and firmware components within the system using [assignment] [assignment] ; and Take the following actions when unauthorized components are dete
Include in the system component inventory information, a means for identifying by [assignment] , individuals responsible and accountable for administering those components.
Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.
Provide a centralized repository for the inventory of system components.
Support the tracking of system components by geographic location using [assignment].
Assign system components to a system; and Receive an acknowledgement from [assignment] of this assignment.
Develop, document, and implement a configuration management plan for the system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process fo
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
Use software and associated documentation in accordance with contract agreements and copyright laws; Track the use of software and associated documentation protected by quantity licenses to control co
Establish the following restrictions on the use of open-source software: [assignment].
Establish [assignment] governing the installation of software by users; Enforce software installation policies through the following methods: [assignment] ; and Monitor policy compliance [assignment].
Allow user installation of software only with explicit privileged status.
Enforce and monitor compliance with software installation policies using [assignment].
Identify and document the location of [assignment] and the specific system components on which the information is processed and stored; Identify and document the users who have access to the system an
Use automated tools to identify [assignment] on [assignment] to ensure controls are in place to protect organizational information and individual privacy.
Develop and document a map of system data actions.
Prevent the installation of [assignment] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Develop, document, and disseminate to [assignment]: [assignment] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organiza
Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and m
Coordinate contingency plan development with organizational elements responsible for related plans.
Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
Plan for the resumption of [assignment] mission and business functions within [assignment] of contingency plan activation.
Plan for the continuance of [assignment] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processi
Plan for the transfer of [assignment] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through
Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.
Identify critical system assets supporting [assignment] mission and business functions.
Provide contingency training to system users consistent with assigned roles and responsibilities: Within [assignment] of assuming a contingency role or responsibility; When required by system changes;
Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.
Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.
Test the contingency plan for the system [assignment] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [assignment]. Review the contingency p
Coordinate contingency plan testing with organizational elements responsible for related plans.
Test the contingency plan at the alternate processing site: To familiarize contingency personnel with the facility and available resources; and To evaluate the capabilities of the alternate processing
Test the contingency plan using [assignment].
Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.
Employ [assignment] to [assignment] to disrupt and adversely affect the system or system component.
Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and Ensure that the alternate storage site provides controls equiv
Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.
Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.
Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.
Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [assignment] for essential mission and business functions within [assignment] when the p
Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.
Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).
Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.
Plan and prepare for circumstances that preclude returning to the primary processing site.
Establish alternate telecommunications services, including necessary agreements to permit the resumption of [assignment] for essential mission and business functions within [assignment] when the prima
Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and R
Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.
Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.
Require primary and alternate telecommunications service providers to have contingency plans; Review provider contingency plans to ensure that the plans meet organizational contingency requirements; a
Test alternate telecommunication services [assignment].
Conduct backups of user-level information contained in [assignment] [assignment]; Conduct backups of system-level information contained in the system [assignment]; Conduct backups of system documentat
Test backup information [assignment] to verify media reliability and information integrity.
Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.
Store backup copies of [assignment] in a separate facility or in a fire rated container that is not collocated with the operational system.
Transfer system backup information to the alternate storage site [assignment].
Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.
Enforce dual authorization for the deletion or destruction of [assignment].
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [assignment].
Provide for the recovery and reconstitution of the system to a known state within [assignment] after a disruption, compromise, or failure.
Implement transaction recovery for systems that are transaction-based.
Addressed through tailoring.
Provide the capability to restore system components within [assignment] from configuration-controlled and integrity-protected information representing a known, operational state for the components.
Protect system components used for recovery and reconstitution.
Provide the capability to employ [assignment] in support of maintaining continuity of operations.
When [assignment] are detected, enter a safe mode of operation with [assignment].
Employ [assignment] for satisfying [assignment] when the primary means of implementing the security function is unavailable or compromised.
Develop, document, and disseminate to [assignment]: [assignment] identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination a
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
Implement multi-factor authentication for access to privileged accounts.
Implement multi-factor authentication for access to non-privileged accounts.
When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.
Implement multi-factor authentication for [assignment] access to [assignment] such that: One of the factors is provided by a device separate from the system gaining access; and The device meets [assig
Implement replay-resistant authentication mechanisms for access to [assignment].
Provide a single sign-on capability for [assignment].
Accept and electronically verify Personal Identity Verification-compliant credentials.
Implement the following out-of-band authentication mechanisms under [assignment]: [assignment].
Uniquely identify and authenticate [assignment] before establishing a [assignment] connection.
Authenticate [assignment] before establishing [assignment] connection using bidirectional authentication that is cryptographically based.
Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [assignment] ; and Audit lease informa
Handle device identification and authentication based on attestation by [assignment].
Manage system identifiers by: Receiving authorization from [assignment] to assign an individual, group, role, service, or device identifier; Selecting an identifier that identifies an individual, grou
Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.
Manage individual identifiers by uniquely identifying each individual as [assignment].
Manage individual identifiers dynamically in accordance with [assignment].
Coordinate with the following external organizations for cross-organization management of identifiers: [assignment].
Generate pairwise pseudonymous identifiers.
Maintain the attributes for each uniquely identified individual, device, or service in [assignment].
Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing
For password-based authentication: Maintain a list of commonly-used, expected, or compromised passwords and update the list [assignment] and when organizational passwords are suspected to have been co
For public key-based authentication: Enforce authorized access to the corresponding private key; and Map the authenticated identity to the account of the individual or group; and When public key infra
Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.
Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.
Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.
Implement [assignment] to manage the risk of compromise due to individuals having accounts on multiple systems.
Use the following external organizations to federate credentials: [assignment].
Bind identities and authenticators dynamically using the following rules: [assignment].
For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [assignment].
Prohibit the use of cached authenticators after [assignment].
For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and
Use only General Services Administration-approved products and services for identity, credential, and access management.
Require that the issuance of [assignment] be conducted [assignment] before [assignment] with authorization by [assignment].
Employ presentation attack detection mechanisms for biometric-based authentication.
Employ [assignment] to generate and manage passwords; and Protect the passwords using [assignment].
Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.
Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such
Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.
Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.
Accept only external authenticators that are NIST-compliant; and Document and maintain a list of accepted external authenticators.
Conform to the following profiles for identity management [assignment].
Accept and verify federated or PKI credentials that meet [assignment].
Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [assignment].
Uniquely identify and authenticate [assignment] before establishing communications with devices, users, or other services or applications.
Require individuals accessing the system to employ [assignment] under specific [assignment].
Require users to re-authenticate when [assignment].
Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; Resolve user id
Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.
Require evidence of individual identification be presented to the registration authority.
Require that the presented identity evidence be validated and verified through [assignment].
Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.
Require that a [assignment] be delivered through an out-of-band channel to verify the users address (physical or digital) of record.
Accept externally-proofed identities at [assignment].
Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions
Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.
The source and integrity of identity assertions and access tokens are verified before granting access to system and information resources.
In accordance with [assignment], assertions and access tokens are: generated; issued; refreshed; revoked; time-restricted; and audience-restricted.
Develop, document, and disseminate to [assignment]: [assignment] incident response policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizatio
Provide incident response training to system users consistent with assigned roles and responsibilities: Within [assignment] of assuming an incident response role or responsibility or acquiring system
Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.
Provide an incident response training environment using [assignment].
Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.
Test the effectiveness of the incident response capability for the system [assignment] using the following tests: [assignment].
Test the incident response capability using [assignment].
Coordinate incident response testing with organizational elements responsible for related plans.
Use qualitative and quantitative data from testing to: Determine the effectiveness of incident response processes; Continuously improve incident response processes; and Provide incident response measu
Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; Coo
Support the incident handling process using [assignment].
Include the following types of dynamic reconfiguration for [assignment] as part of the incident response capability: [assignment].
Identify [assignment] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [assignment].
Correlate incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
Implement a configurable capability to automatically disable the system if [assignment] are detected.
Implement an incident handling capability for incidents involving insider threats.
Coordinate an incident handling capability for insider threats that includes the following organizational entities [assignment].
Coordinate with [assignment] to correlate and share [assignment] to achieve a cross-organization perspective on incident awareness and more effective incident responses.
Employ [assignment] to respond to incidents.
Coordinate incident handling activities involving supply chain events with other organizations involved in the supply chain.
Establish and maintain an integrated incident response team that can be deployed to any location identified by the organization in [assignment].
Analyze malicious code and/or other residual artifacts remaining in the system after the incident.
Analyze anomalous or suspected adversarial behavior in or related to [assignment].
Establish and maintain a security operations center.
Manage public relations associated with an incident; and Employ measures to repair the reputation of the organization.
Track and document incidents.
Track incidents and collect and analyze incident information using [assignment].
Require personnel to report suspected incidents to the organizational incident response capability within [assignment] ; and Report incident information to [assignment].
Report incidents using [assignment].
Report system vulnerabilities associated with reported incidents to [assignment].
Provide incident information to the provider of the product or service and other organizations involved in the supply chain or supply chain governance for systems or system components related to the i
Provide an incident response support resource, integral to the organizational incident response capability, that offers advice and assistance to users of the system for the handling and reporting of i
Increase the availability of incident response information and support using [assignment].
Establish a direct, cooperative relationship between its incident response capability and external providers of system protection capability; and Identify organizational incident response team members
Develop an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response ca
Include the following in the Incident Response Plan for breaches involving personally identifiable information: A process to determine if notice to individuals or other organizations, including oversi
Respond to information spills by: Assigning [assignment] with responsibility for responding to information spills; Identifying the specific information involved in the system contamination; Alerting [
Provide information spillage response training [assignment].
Implement the following procedures to ensure that organizational personnel impacted by information spills can continue to carry out assigned tasks while contaminated systems are undergoing corrective
Employ the following controls for personnel exposed to information not within assigned access authorizations: [assignment].
Develop, document, and disseminate to [assignment]: [assignment] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational en
Schedule, document, and review records of maintenance, repair, and replacement on system components in accordance with manufacturer or vendor specifications and/or organizational requirements; Approve
Schedule, conduct, and document maintenance, repair, and replacement actions for the system using [assignment] ; and Produce up-to date, accurate, and complete records of all maintenance, repair, and
Approve, control, and monitor the use of system maintenance tools; and Review previously approved system maintenance tools [assignment].
Inspect the maintenance tools used by maintenance personnel for improper or unauthorized modifications.
Check media containing diagnostic and test programs for malicious code before the media are used in the system.
Prevent the removal of maintenance equipment containing organizational information by: Verifying that there is no organizational information contained on the equipment; Sanitizing or destroying the eq
Restrict the use of maintenance tools to authorized personnel only.
Monitor the use of maintenance tools that execute with increased privilege.
Inspect maintenance tools to ensure the latest software updates and patches are installed.
Approve and monitor nonlocal maintenance and diagnostic activities; Allow the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the secur
Log [assignment] for nonlocal maintenance and diagnostic sessions; and Review the audit records of the maintenance and diagnostic sessions to detect anomalous behavior.
Require that nonlocal maintenance and diagnostic services be performed from a system that implements a security capability comparable to the capability implemented on the system being serviced; or Rem
Protect nonlocal maintenance sessions by: Employing [assignment] ; and Separating the maintenance sessions from other network sessions with the system by either: Physically separated communications pa
Require the approval of each nonlocal maintenance session by [assignment] ; and Notify the following personnel or roles of the date and time of planned nonlocal maintenance: [assignment].
Implement the following cryptographic mechanisms to protect the integrity and confidentiality of nonlocal maintenance and diagnostic communications: [assignment].
Verify session and network connection termination after the completion of nonlocal maintenance and diagnostic sessions.
Establish a process for maintenance personnel authorization and maintain a list of authorized maintenance organizations or personnel; Verify that non-escorted personnel performing maintenance on the s
Implement procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens, that include the following requirements: Maintenance personnel who do not
Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information possess security clearances and formal access approvals f
Verify that personnel performing maintenance and diagnostic activities on a system processing, storing, or transmitting classified information are U.S. citizens.
Ensure that: Foreign nationals with appropriate security clearances are used to conduct maintenance and diagnostic activities on classified systems only when the systems are jointly owned and operated
Ensure that non-escorted personnel performing maintenance activities not directly associated with the system but in the physical proximity of the system, have required access authorizations.
Obtain maintenance support and/or spare parts for [assignment] within [assignment] of failure.
Perform preventive maintenance on [assignment] at [assignment].
Perform predictive maintenance on [assignment] at [assignment].
Transfer predictive maintenance data to a maintenance management system using [assignment].
Restrict or prohibit field maintenance on [assignment] to [assignment].
Develop, document, and disseminate to [assignment]: [assignment] media protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organization
Restrict access to [assignment] to [assignment].
Mark system media indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and Exempt [assignment] from marking if the media remain with
Physically control and securely store [assignment] within [assignment] ; and Protect system media types defined in MP-4a until the media are destroyed or sanitized using approved equipment, techniques
Restrict access to media storage areas and log access attempts and access granted using [assignment].
Protect and control [assignment] during transport outside of controlled areas using [assignment]; Maintain accountability for system media during transport outside of controlled areas; Document activi
Employ an identified custodian during transport of system media outside of controlled areas.
Sanitize [assignment] prior to disposal, release out of organizational control, or release for reuse using [assignment] ; and Employ sanitization mechanisms with the strength and integrity commensurat
Review, approve, track, document, and verify media sanitization and disposal actions.
Test sanitization equipment and procedures [assignment] to ensure that the intended sanitization is being achieved.
Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: [assignment].
Enforce dual authorization for the sanitization of [assignment].
Provide the capability to purge or wipe information from [assignment] [assignment].
[assignment] the use of [assignment] on [assignment] using [assignment] ; and Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.
Prohibit the use of sanitization-resistant media in organizational systems.
Establish [assignment] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information; Verify that the system m
Document system media downgrading actions.
Test downgrading equipment and procedures [assignment] to ensure that downgrading actions are being achieved.
Downgrade system media containing controlled unclassified information prior to public release.
Downgrade system media containing classified information prior to release to individuals without required access authorizations.
Develop, document, and disseminate to [assignment]: [assignment] physical and environmental protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordinati
Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides; Issue authorization credentials for facility access; Review the access list detail
Authorize physical access to the facility where the system resides based on position or role.
Require two forms of identification from the following forms of identification for visitor access to the facility where the system resides: [assignment].
Restrict unescorted access to the facility where the system resides to personnel with [assignment].
Enforce physical access authorizations at [assignment] by: Verifying individual access authorizations before granting access to the facility; and Controlling ingress and egress to the facility using [
Enforce physical access authorizations to the system in addition to the physical access controls for the facility at [assignment].
Perform security checks [assignment] at the physical perimeter of the facility or system for exfiltration of information or removal of system components.
Employ guards to control [assignment] to the facility where the system resides 24 hours per day, 7 days per week.
Use lockable physical casings to protect [assignment] from unauthorized physical access.
Employ [assignment] to [assignment] physical tampering or alteration of [assignment] within the system.
Limit access using physical barriers.
Employ access control vestibules at [assignment].
Control physical access to [assignment] within organizational facilities using [assignment].
Control physical access to output from [assignment] to prevent unauthorized individuals from obtaining the output.
Link individual identity to receipt of output from output devices.
Monitor physical access to the facility where the system resides to detect and respond to physical security incidents; Review physical access logs [assignment] and upon occurrence of [assignment] ; an
Monitor physical access to the facility where the system resides using physical intrusion alarms and surveillance equipment.
Recognize [assignment] and initiate [assignment] using [assignment].
Employ video surveillance of [assignment]; Review video recordings [assignment] ; and Retain video recordings for [assignment].
Monitor physical access to the system in addition to the physical access monitoring of the facility at [assignment].
Maintain visitor access records to the facility where the system resides for [assignment]; Review visitor access records [assignment] ; and Report anomalies in visitor access records to [assignment].
Maintain and review visitor access records using [assignment].
Limit personally identifiable information contained in visitor access records to the following elements identified in the privacy risk assessment: [assignment].
Protect power equipment and power cabling for the system from damage and destruction.
Employ redundant power cabling paths that are physically separated by [assignment].
Employ automatic voltage controls for [assignment].
Provide the capability of shutting off power to [assignment] in emergency situations; Place emergency shutoff switches or devices in [assignment] to facilitate access for authorized personnel; and Pro
Provide an uninterruptible power supply to facilitate [assignment] in the event of a primary power source loss.
Provide an alternate power supply for the system that is activated [assignment] and that can maintain minimally required operational capability in the event of an extended loss of the primary power so
Provide an alternate power supply for the system that is activated [assignment] and that is: Self-contained; Not reliant on external power generation; and Capable of maintaining [assignment] in the ev
Employ and maintain automatic emergency lighting for the system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
Provide emergency lighting for all areas within the facility supporting essential mission and business functions.
Employ and maintain fire detection and suppression systems that are supported by an independent energy source.
Employ fire detection systems that activate automatically and notify [assignment] and [assignment] in the event of a fire.
Employ fire suppression systems that activate automatically and notify [assignment] and [assignment] ; and Employ an automatic fire suppression capability when the facility is not staffed on a continu
Ensure that the facility undergoes [assignment] fire protection inspections by authorized and qualified inspectors and identified deficiencies are resolved within [assignment].
Maintain [assignment] levels within the facility where the system resides at [assignment] ; and Monitor environmental control levels [assignment].
Employ the following automatic environmental controls in the facility to prevent fluctuations potentially harmful to the system: [assignment].
Employ environmental control monitoring that provides an alarm or notification of changes potentially harmful to personnel or equipment to [assignment].
Protect the system from damage resulting from water leakage by providing master shutoff or isolation valves that are accessible, working properly, and known to key personnel.
Detect the presence of water near the system and alert [assignment] using [assignment].
Authorize and control [assignment] entering and exiting the facility; and Maintain records of the system components.
Determine and document the [assignment] allowed for use by employees; Employ the following controls at alternate work sites: [assignment]; Assess the effectiveness of controls at alternate work sites;
Position system components within the facility to minimize potential damage from [assignment] and to minimize the opportunity for unauthorized access.
Protect the system from information leakage due to electromagnetic signals emanations.
Protect system components, associated data communications, and networks in accordance with national Emissions Security policies and procedures based on the security category or classification of the i
Employ [assignment] to track and monitor the location and movement of [assignment] within [assignment].
Employ [assignment] against electromagnetic pulse damage for [assignment].
Mark [assignment] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.
Plan the location or site of the facility where the system resides considering physical and environmental hazards; and For existing facilities, consider the physical and environmental hazards in the o
Develop, document, and disseminate to [assignment]: [assignment] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entit
Develop security and privacy plans for the system that: Are consistent with the organization’s enterprise architecture; Explicitly define the constituent system components; Describe the operational co
Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; Recei
Include in the rules of behavior, restrictions on: Use of social media, social networking sites, and external sites/applications; Posting organizational information on public websites; and Use of orga
Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and Review and update th
Develop security and privacy architectures for the system that: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational inf
Design the security and privacy architectures for the system using a defense-in-depth approach that: Allocates [assignment] to [assignment] ; and Ensures that the allocated controls operate in a coord
Require that [assignment] allocated to [assignment] are obtained from different suppliers.
Centrally manage [assignment].
Select a control baseline for the system.
Tailor the selected control baseline by applying specified tailoring actions.
Develop and disseminate an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program managem
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; Prepare documentati
Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are developed
Develop and update [assignment] an inventory of organizational systems.
Establish, maintain, and update [assignment] an inventory of all systems, applications, and projects that process personally identifiable information.
Develop, monitor, and report on the results of information security and privacy measures of performance.
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations,
Offload [assignment] to other systems, system components, or an external provider.
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Develops a comprehensive strategy to manage: Security risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of organizati
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; Designate individuals to fulfill specific roles and
Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, ot
Implement an insider threat program that includes a cross-discipline insider threat incident handling team.
Establish a security and privacy workforce development and improvement program.
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and ma
Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organiza
Implement a threat awareness program that includes a cross-organization information-sharing capability for threat intelligence.
Employ automated mechanisms to maximize the effectiveness of sharing threat intelligence information.
Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in a
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: Includes a description of the structure of the privacy program and the
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks
Maintain a central resource webpage on the organization’s principal public website that serves as a central source of information about the organization’s privacy program and that: Ensures that the pu
Develop and post privacy policies on all external-facing websites, mobile applications, and other digital services, that: Are written in plain language and organized in a way that is easy to understan
Develop and maintain an accurate accounting of disclosures of personally identifiable information, including: Date, nature, and purpose of each disclosure; and Name and address, or other contact infor
Develop and document organization-wide policies and procedures for: Reviewing for the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information li
Establish a Data Governance Body consisting of [assignment] with [assignment].
Establish a Data Integrity Board to: Review proposals to conduct or participate in a matching program; and Conduct an annual review of all matching programs in which the agency has participated.
Develop, document, and implement policies and procedures that address the use of personally identifiable information for internal testing, training, and research; Limit or minimize the amount of perso
Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Mechanisms that are easy
Develop [assignment] and disseminate to: [assignment] to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and [assignment] and other personnel with responsibility fo
Identify and document: Assumptions affecting risk assessments, risk responses, and risk monitoring; Constraints affecting risk assessments, risk responses, and risk monitoring; Priorities and trade-of
Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; a
Develop an organization-wide strategy for managing supply chain risks associated with the development, acquisition, maintenance, and disposal of systems, system components, and system services; Implem
Identify, prioritize, and assess suppliers of critical or mission-essential technologies, products, and services.
Develop an organization-wide continuous monitoring strategy and implement continuous monitoring programs that include: Establishing the following organization-wide metrics to be monitored: [assignment
Analyze [assignment] supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.
Develop, document, and disseminate to [assignment]: [assignment] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizati
Assign a risk designation to all organizational positions; Establish screening criteria for individuals filling those positions; and Review and update position risk designations [assignment].
Screen individuals prior to authorizing access to the system; and Rescreen individuals in accordance with [assignment].
Verify that individuals accessing a system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which the
Verify that individuals accessing a system processing, storing, or transmitting types of classified information that require formal indoctrination, are formally indoctrinated for all the relevant type
Verify that individuals accessing a system processing, storing, or transmitting information requiring special protection: Have valid access authorizations that are demonstrated by assigned official go
Verify that individuals accessing a system processing, storing, or transmitting [assignment] meet [assignment].
Upon termination of individual employment: Disable system access within [assignment]; Terminate or revoke any authenticators and credentials associated with the individual; Conduct exit interviews tha
Notify terminated individuals of applicable, legally binding post-employment requirements for the protection of organizational information; and Require terminated individuals to sign an acknowledgment
Use [assignment] to [assignment].
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within th
Develop and document access agreements for organizational systems; Review and update the access agreements [assignment] ; and Verify that individuals requiring access to organizational information and
Verify that access to classified information requiring special protection is granted only to individuals who: Have a valid access authorization that is demonstrated by assigned official government dut
Notify individuals of applicable, legally binding post-employment requirements for protection of organizational information; and Require individuals to sign an acknowledgment of these requirements, if
Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures es
Employ a formal sanctions process for individuals failing to comply with established information security and privacy policies and procedures; and Notify [assignment] within [assignment] when a formal
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
Develop, document, and disseminate to [assignment]: [assignment] personally identifiable information processing and transparency policy that: Addresses purpose, scope, roles, responsibilities, managem
Determine and document the [assignment] that permits the [assignment] of personally identifiable information; and Restrict the [assignment] of personally identifiable information to only that which is
Attach data tags containing [assignment] to [assignment].
Manage enforcement of the authorized processing of personally identifiable information using [assignment].
Identify and document the [assignment] for processing personally identifiable information; Describe the purpose(s) in the public privacy notices and policies of the organization; Restrict the [assignm
Attach data tags containing the following purposes to [assignment]: [assignment].
Track processing purposes of personally identifiable information using [assignment].
Implement [assignment] for individuals to consent to the processing of their personally identifiable information prior to its collection that facilitate individuals’ informed decision-making.
Provide [assignment] to allow individuals to tailor processing permissions to selected elements of personally identifiable information.
Present [assignment] to individuals at [assignment] and in conjunction with [assignment].
Implement [assignment] for individuals to revoke consent to the processing of their personally identifiable information.
Provide notice to individuals about the processing of personally identifiable information that: Is available to individuals upon first interacting with an organization, and subsequently at [assignment
Present notice of personally identifiable information processing to individuals at a time and location where the individual provides personally identifiable information or in conjunction with a data a
Include Privacy Act statements on forms that collect information that will be maintained in a Privacy Act system of records, or provide Privacy Act statements on separate forms that can be retained by
For systems that process information that will be maintained in a Privacy Act system of records: Draft system of records notices in accordance with OMB guidance and submit new and significantly modifi
Review all routine uses published in the system of records notice at [assignment] to ensure continued accuracy, and to ensure that routine uses continue to be compatible with the purpose for which the
Review all Privacy Act exemptions claimed for the system of records at [assignment] to ensure they remain appropriate and necessary in accordance with law, that they have been promulgated as regulatio
Apply [assignment] for specific categories of personally identifiable information.
When a system processes Social Security numbers: Eliminate unnecessary collection, maintenance, and use of Social Security numbers, and explore alternatives to their use as a personal identifier; Do n
Prohibit the processing of information describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual or unless pertinent
When a system or organization processes information for the purpose of conducting a matching program: Obtain approval from the Data Integrity Board to conduct the matching program; Develop and enter i
Develop, document, and disseminate to [assignment]: [assignment] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizationa
Categorize the system and information it processes, stores, and transmits; Document the security categorization results, including supporting rationale, in the security plan for the system; and Verify
Conduct an impact-level prioritization of organizational systems to obtain additional granularity on system impact levels.
Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption,
Assess supply chain risks associated with [assignment] ; and Update the supply chain risk assessment [assignment] , when there are significant changes to the relevant supply chain, or when changes to
Use all-source intelligence to assist in the analysis of risk.
Determine the current cyber threat environment on an ongoing basis using [assignment].
Employ the following advanced automation and analytics capabilities to predict and identify risks to [assignment]: [assignment].
Monitor and scan for vulnerabilities in the system and hosted applications [assignment] and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability
Update the system vulnerabilities to be scanned [assignment].
Define the breadth and depth of vulnerability scanning coverage.
Determine information about the system that is discoverable and take [assignment].
Implement privileged access authorization to [assignment] for [assignment].
Compare the results of multiple vulnerability scans using [assignment].
Review historic audit logs to determine if a vulnerability identified in a [assignment] has been previously exploited within an [assignment].
Correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability and multi-hop attack vectors.
Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components.
Employ a technical surveillance countermeasures survey at [assignment] [assignment].
Respond to findings from security and privacy assessments, monitoring, and audits in accordance with organizational risk tolerance.
Conduct privacy impact assessments for systems, programs, or other activities before: Developing or procuring information technology that processes personally identifiable information; and Initiating
Identify critical system components and functions by performing a criticality analysis for [assignment] at [assignment].
Establish and maintain a cyber threat hunting capability to: Search for indicators of compromise in organizational systems; and Detect, track, and disrupt threats that evade existing controls; and Emp
Develop, document, and disseminate to [assignment]: [assignment] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination amo
Determine the high-level information security and privacy requirements for the system or system service in mission and business process planning; Determine, document, and allocate the resources requir
Acquire, develop, and manage the system using [assignment] that incorporates information security and privacy considerations; Define and document information security and privacy roles and responsibil
Protect system preproduction environments commensurate with risk throughout the system development life cycle for the system, system component, or system service.
Approve, document, and control the use of live data in preproduction environments for the system, system component, or system service; and Protect preproduction environments for the system, system com
Plan for and implement a technology refresh schedule for the system throughout the system development life cycle.
Include the following requirements, descriptions, and criteria, explicitly or by reference, using [assignment] in the acquisition contract for the system, system component, or system service: Security
Require the developer of the system, system component, or system service to provide a description of the functional properties of the controls to be implemented.
Require the developer of the system, system component, or system service to provide design and implementation information for the controls that includes: [assignment] at [assignment].
Require the developer of the system, system component, or system service to demonstrate the use of a system development life cycle process that includes: [assignment]; [assignment] ; and [assignment].
Require the developer of the system, system component, or system service to: Deliver the system, component, or service with [assignment] implemented; and Use the configurations as the default for any
Employ only government off-the-shelf or commercial off-the-shelf information assurance and information assurance-enabled information technology products that compose an NSA-approved solution to protec
Limit the use of commercially provided information assurance and information assurance-enabled information technology products to those products that have been successfully evaluated against a Nationa
Require the developer of the system, system component, or system service to produce a plan for continuous monitoring of control effectiveness that is consistent with the continuous monitoring program
Require the developer of the system, system component, or system service to identify the functions, ports, protocols, and services intended for organizational use.
Employ only information technology products on the FIPS 201-approved products list for Personal Identity Verification (PIV) capability implemented within organizational systems.
Include [assignment] in the acquisition contract for the operation of a system of records on behalf of an organization to accomplish an organizational mission or function.
Include organizational data ownership requirements in the acquisition contract; and Require all data to be removed from the contractor’s system and returned to the organization within [assignment].
Obtain or develop administrator documentation for the system, system component, or system service that describes: Secure configuration, installation, and operation of the system, component, or service
Apply the following systems security and privacy engineering principles in the specification, design, development, implementation, and modification of the system and system components: [assignment].
Implement the security design principle of clear abstractions.
Implement the security design principle of least common mechanism in [assignment].
Implement the security design principles of modularity and layering in [assignment].
Implement the security design principle of partially ordered dependencies in [assignment].
Implement the security design principle of efficiently mediated access in [assignment].
Implement the security design principle of minimized sharing in [assignment].
Implement the security design principle of reduced complexity in [assignment].
Implement the security design principle of secure evolvability in [assignment].
Implement the security design principle of trusted components in [assignment].
Implement the security design principle of hierarchical trust in [assignment].
Implement the security design principle of inverse modification threshold in [assignment].
Implement the security design principle of hierarchical protection in [assignment].
Implement the security design principle of minimized security elements in [assignment].
Implement the security design principle of least privilege in [assignment].
Implement the security design principle of predicate permission in [assignment].
Implement the security design principle of self-reliant trustworthiness in [assignment].
Implement the security design principle of secure distributed composition in [assignment].
Implement the security design principle of trusted communications channels in [assignment].
Implement the security design principle of continuous protection in [assignment].
Implement the security design principle of secure metadata management in [assignment].
Implement the security design principle of self-analysis in [assignment].
Implement the security design principle of accountability and traceability in [assignment].
Implement the security design principle of secure defaults in [assignment].
Implement the security design principle of secure failure and recovery in [assignment].
Implement the security design principle of economic security in [assignment].
Implement the security design principle of performance security in [assignment].
Implement the security design principle of human factored security in [assignment].
Implement the security design principle of acceptable security in [assignment].
Implement the security design principle of repeatable and documented procedures in [assignment].
Implement the security design principle of procedural rigor in [assignment].
Implement the security design principle of secure system modification in [assignment].
Implement the security design principle of sufficient documentation in [assignment].
Implement the privacy principle of minimization using [assignment].
Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [assignment]; Define and document organizational over
Conduct an organizational assessment of risk prior to the acquisition or outsourcing of information security services; and Verify that the acquisition or outsourcing of dedicated information security
Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [assignment].
Establish, document, and maintain trust relationships with external service providers based on the following requirements, properties, factors, or conditions: [assignment].
Take the following actions to verify that the interests of [assignment] are consistent with and reflect organizational interests: [assignment].
Restrict the location of [assignment] to [assignment] based on [assignment].
Maintain exclusive control of cryptographic keys for encrypted material stored or transmitted through an external system.
Provide the capability to check the integrity of information while it resides in the external system.
Restrict the geographic location of information processing and data storage to facilities located within in the legal jurisdictional boundary of the United States.
Require the developer of the system, system component, or system service to: Perform configuration management during system, component, or service [assignment]; Document, manage, and control the integ
Require the developer of the system, system component, or system service to enable integrity verification of software and firmware components.
Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
Require the developer of the system, system component, or system service to enable integrity verification of hardware components.
Require the developer of the system, system component, or system service to employ tools for comparing newly generated versions of security-relevant hardware descriptions, source code, and object code
Require the developer of the system, system component, or system service to maintain the integrity of the mapping between the master build data describing the current version of security-relevant hard
Require the developer of the system, system component, or system service to execute procedures for ensuring that security-relevant hardware, software, and firmware updates distributed to the organizat
Require [assignment] to be included in the [assignment].
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and priv
Require the developer of the system, system component, or system service to employ static code analysis tools to identify common flaws and document the results of the analysis.
Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the syste
Require an independent agent satisfying [assignment] to verify the correct implementation of the developer security and privacy assessment plans and the evidence produced during testing and evaluation
Require the developer of the system, system component, or system service to perform a manual code review of [assignment] using the following processes, procedures, and/or techniques: [assignment].
Require the developer of the system, system component, or system service to perform penetration testing: At the following level of rigor: [assignment] ; and Under the following constraints: [assignmen
Require the developer of the system, system component, or system service to perform attack surface reviews.
Require the developer of the system, system component, or system service to verify that the scope of testing and evaluation provides complete coverage of the required controls at the following level o
Require the developer of the system, system component, or system service to employ dynamic code analysis tools to identify common flaws and document the results of the analysis.
Require the developer of the system, system component, or system service to employ interactive application security testing tools to identify flaws and document the results.
Require the developer of the system, system component, or system service to follow a documented development process that: Explicitly addresses security and privacy requirements; Identifies the standar
Require the developer of the system, system component, or system service to: Define quality metrics at the beginning of the development process; and Provide evidence of meeting the quality metrics [as
Require the developer of the system, system component, or system service to select and employ security and privacy tracking tools for use during the development process.
Require the developer of the system, system component, or system service to perform a criticality analysis: At the following decision points in the system development life cycle: [assignment] ; and At
Require the developer of the system, system component, or system service to reduce attack surfaces to [assignment].
Require the developer of the system, system component, or system service to implement an explicit process to continuously improve the development process.
Require the developer of the system, system component, or system service [assignment] to: Perform an automated vulnerability analysis using [assignment]; Determine the exploitation potential for disco
Require the developer of the system, system component, or system service to use threat modeling and vulnerability analyses from similar systems, components, or services to inform the current developme
Require the developer of the system, system component, or system service to provide, implement, and test an incident response plan.
Require the developer of the system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security and privac
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
Require the developer of the system or system component to minimize the use of personally identifiable information in development and test environments.
Require the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls,
Require the developer of the system, system component, or system service to produce a design specification and security and privacy architecture that: Is consistent with the organization’s security an
Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, a formal policy model describing the [assignment] to be enforced;
Require the developer of the system, system component, or system service to: Define security-relevant hardware, software, and firmware; and Provide a rationale that the definition for security-relevan
Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, a formal top-level specification that specifies the interfaces to
Require the developer of the system, system component, or system service to: Produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the
Require the developer of the system, system component, or system service to: Design and structure the security-relevant hardware, software, and firmware to use a complete, conceptually simple protecti
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate testing.
Require the developer of the system, system component, or system service to structure security-relevant hardware, software, and firmware to facilitate controlling access with least privilege.
Design [assignment] with coordinated behavior to implement the following capabilities: [assignment].
Use different designs for [assignment] to satisfy a common set of requirements or to provide equivalent functionality.
Reimplement or custom develop the following critical system components: [assignment].
Require that the developer of [assignment]: Has appropriate access authorizations as determined by assigned [assignment] ; and Satisfies the following additional personnel screening criteria: [assignm
Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer; or Provide the following options for alternative sources for continued sup
Employ [assignment] on [assignment] supporting mission essential services or functions to increase the trustworthiness in those systems or components.
Design organizational systems, system components, or system services to achieve cyber resiliency by: Defining the following cyber resiliency goals: [assignment]. Defining the following cyber resilienc
Develop, document, and disseminate to [assignment]: [assignment] system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordinatio
Separate user functionality, including user interface services, from system management functionality.
Prevent the presentation of system management functionality at interfaces to non-privileged users.
Store state information from applications and software separately.
Isolate security functions from nonsecurity functions.
Employ hardware separation mechanisms to implement security function isolation.
Isolate security functions enforcing access and information flow control from nonsecurity functions and from other security functions.
Minimize the number of nonsecurity functions included within the isolation boundary containing security functions.
Implement security functions as largely independent modules that maximize internal cohesiveness within modules and minimize coupling between modules.
Implement security functions as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layer
Prevent unauthorized and unintended information transfer via shared system resources.
Prevent unauthorized information transfer via shared resources in accordance with [assignment] when system processing explicitly switches between different information classification levels or securit
[assignment] the effects of the following types of denial-of-service events: [assignment] ; and Employ the following controls to achieve the denial-of-service objective: [assignment].
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: [assignment].
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.
Employ the following monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system: [assignment] ; and Monitor the following system resources to determine if
Protect the availability of resources by allocating [assignment] by [assignment].
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system; Implement subnetworks for publicly accessible system compo
Limit the number of external network connections to the system.
Implement a managed interface for each external telecommunication service; Establish a traffic flow policy for each managed interface; Protect the confidentiality and integrity of the information bein
Deny network communications traffic by default and allow network communications traffic by exception [assignment].
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using [assignment].
Route [assignment] to [assignment] through authenticated proxy servers at managed interfaces.
Detect and deny outgoing communications traffic posing a threat to external systems; and Audit the identity of internal users associated with denied communications.
Prevent the exfiltration of information; and Conduct exfiltration tests [assignment].
Only allow incoming communications from [assignment] to be routed to [assignment].
Implement [assignment] at [assignment].
Isolate [assignment] from other internal system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
Protect against unauthorized physical connections at [assignment].
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
Prevent the discovery of specific system components that represent a managed interface.
Enforce adherence to protocol formats.
Prevent systems from entering unsecure states in the event of an operational failure of a boundary protection device.
Block inbound and outbound communications traffic between [assignment] that are independently configured by end users and external service providers.
Provide the capability to dynamically isolate [assignment] from other system components.
Employ boundary protection mechanisms to isolate [assignment] supporting [assignment].
Implement separate network addresses to connect to systems in different security domains.
Disable feedback to senders on protocol format validation failure.
For systems that process personally identifiable information: Apply the following processing rules to data elements of personally identifiable information: [assignment]; Monitor for permitted processi
Prohibit the direct connection of [assignment] to an external network without the use of [assignment].
Prohibit the direct connection of a classified national security system to an external network without the use of [assignment].
Prohibit the direct connection of [assignment] to an external network without the use of [assignment].
Prohibit the direct connection of [assignment] to a public network.
Implement [assignment] separate subnetworks to isolate the following critical system components and functions: [assignment].
Protect the [assignment] of transmitted information.
Implement cryptographic mechanisms to [assignment] during transmission.
Maintain the [assignment] of information during preparation for transmission and during reception.
Implement cryptographic mechanisms to protect message externals unless otherwise protected by [assignment].
Implement cryptographic mechanisms to conceal or randomize communication patterns unless otherwise protected by [assignment].
Implement [assignment] to [assignment] during transmission.
Terminate the network connection associated with a communications session at the end of the session or after [assignment] of inactivity.
Provide a [assignment] isolated trusted communications path for communications between the user and the trusted components of the system; and Permit users to invoke the trusted communications path for
Provide a trusted communications path that is irrefutably distinguishable from other communications paths; and Initiate the trusted communications path for communications between the [assignment] of t
Establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: [assignment].
Maintain availability of information in the event of the loss of cryptographic keys by users.
Produce, control, and distribute symmetric cryptographic keys using [assignment] key management technology and processes.
Produce, control, and distribute asymmetric cryptographic keys using [assignment].
Maintain physical control of cryptographic keys when stored information is encrypted by external service providers.
Determine the [assignment] ; and Implement the following types of cryptography required for each specified cryptographic use: [assignment].
Prohibit remote activation of collaborative computing devices and applications with the following exceptions: [assignment] ; and Provide an explicit indication of use to users physically present at th
Provide [assignment] disconnect of collaborative computing devices in a manner that supports ease of use.
Disable or remove collaborative computing devices and applications from [assignment] in [assignment].
Provide an explicit indication of current participants in [assignment].
Associate [assignment] with information exchanged between systems and between system components.
Verify the integrity of transmitted security and privacy attributes.
Implement anti-spoofing mechanisms to prevent adversaries from falsifying the security attributes indicating the successful application of the security process.
Implement [assignment] to bind security and privacy attributes to transmitted information.
Issue public key certificates under an [assignment] or obtain public key certificates from an approved service provider; and Include only approved trust anchors in trust stores or certificate stores m
Define acceptable and unacceptable mobile code and mobile code technologies; and Authorize, monitor, and control the use of mobile code within the system.
Identify [assignment] and take [assignment].
Verify that the acquisition, development, and use of mobile code to be deployed in the system meets [assignment].
Prevent the download and execution of [assignment].
Prevent the automatic execution of mobile code in [assignment] and enforce [assignment] prior to executing the code.
Allow execution of permitted mobile code only in confined virtual machine environments.
Technology-specific; addressed as any other technology or protocol.
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution
Provide data origin and integrity protection artifacts for internal name/address resolution queries.
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
Protect the authenticity of communications sessions.
Invalidate session identifiers upon user logout or other session termination.
Generate a unique session identifier for each session with [assignment] and recognize only session identifiers that are system-generated.
Only allow the use of [assignment] for verification of the establishment of protected sessions.
Fail to a [assignment] for the following failures on the indicated components while preserving [assignment] in failure: [assignment].
Employ minimal functionality and information storage on the following system components: [assignment].
Include components within organizational systems specifically designed to be the target of malicious attacks for detecting, deflecting, and analyzing such attacks.
Include within organizational systems the following platform independent applications: [assignment].
Protect the [assignment] of the following information at rest: [assignment].
Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of the following information at rest on [assignment]: [assignment].
Remove the following information from online storage and store offline in a secure location: [assignment].
Provide protected storage for cryptographic keys [assignment].
Employ a diverse set of information technologies for the following system components in the implementation of the system: [assignment].
Employ virtualization techniques to support the deployment of a diversity of operating systems and applications that are changed [assignment].
Employ the following concealment and misdirection techniques for [assignment] at [assignment] to confuse and mislead adversaries: [assignment].
Employ [assignment] to introduce randomness into organizational operations and assets.
Change the location of [assignment] [assignment]].
Employ realistic, but misleading information in [assignment] about its security state or posture.
Employ the following techniques to hide or conceal [assignment]: [assignment].
Perform a covert channel analysis to identify those aspects of communications within the system that are potential avenues for covert [assignment] channels; and Estimate the maximum bandwidth of those
Test a subset of the identified covert channels to determine the channels that are exploitable.
Reduce the maximum bandwidth for identified covert [assignment] channels to [assignment].
Measure the bandwidth of [assignment] in the operational environment of the system.
Partition the system into [assignment] residing in separate [assignment] domains or environments based on [assignment].
Partition privileged functions into separate physical domains.
For [assignment] , load and execute: The operating environment from hardware-enforced, read-only media; and The following applications from hardware-enforced, read-only media: [assignment].
Employ [assignment] with no writeable storage that is persistent across component restart or power on/off.
Protect the integrity of information prior to storage on read-only media and control the media after such information has been recorded onto the media.
Include system components that proactively seek to identify network-based malicious code or malicious websites.
Distribute the following processing and storage components across multiple [assignment]: [assignment].
Employ polling techniques to identify potential faults, errors, or compromises to the following processing and storage components: [assignment] ; and Take the following actions in response to identifi
Synchronize the following duplicate systems or system components: [assignment].
Employ the following out-of-band channels for the physical delivery or electronic transmission of [assignment] to [assignment]: [assignment].
Employ [assignment] to ensure that only [assignment] receive the following information, system components, or devices: [assignment].
Employ the following operations security controls to protect key organizational information throughout the system development life cycle: [assignment].
Maintain a separate execution domain for each executing system process.
Implement hardware separation mechanisms to facilitate process isolation.
Maintain a separate execution domain for each thread in [assignment].
Protect external and internal [assignment] from the following signal parameter attacks: [assignment].
Implement cryptographic mechanisms that achieve [assignment] against the effects of intentional electromagnetic interference.
Implement cryptographic mechanisms to reduce the detection potential of wireless links to [assignment].
Implement cryptographic mechanisms to identify and reject wireless transmissions that are deliberate attempts to achieve imitative or manipulative communications deception based on signal parameters.
Implement cryptographic mechanisms to prevent the identification of [assignment] by using the transmitter signal parameters.
[assignment] disable or remove [assignment] on the following systems or system components: [assignment].
Prohibit [assignment] ; and Provide an explicit indication of sensor use to [assignment].
Verify that the system is configured so that data or information collected by the [assignment] is only reported to authorized individuals or roles.
Employ the following measures so that data or information collected by [assignment] is only used for authorized purposes: [assignment].
Employ the following measures to facilitate an individual’s awareness that personally identifiable information is being collected by [assignment]: [assignment].
Employ [assignment] that are configured to minimize the collection of information about individuals that is not needed.
Establish usage restrictions and implementation guidelines for the following system components: [assignment] ; and Authorize, monitor, and control the use of such components within the system.
Employ a detonation chamber capability within [assignment].
Synchronize system clocks within and between systems and system components.
Compare the internal system clocks [assignment] with [assignment] ; and Synchronize the internal system clocks to the authoritative time source when the time difference is greater than [assignment].
Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and Synchronize the internal system clocks to the secondary authorit
Implement a policy enforcement mechanism [assignment] between the physical and/or network interfaces for the connecting security domains.
Establish [assignment] for system operations organizational command and control.
Relocate [assignment] to [assignment] under the following conditions or circumstances: [assignment].
Dynamically relocate [assignment] to [assignment] under the following conditions or circumstances: [assignment].
Implement hardware-enforced separation and policy enforcement mechanisms between [assignment].
Implement software-enforced separation and policy enforcement mechanisms between [assignment].
Employ hardware-based, write-protect for [assignment] ; and Implement specific procedures for [assignment] to manually disable hardware write-protect for firmware modifications and re-enable the write
Develop, document, and disseminate to [assignment]: [assignment] system and information integrity policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination am
Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant s
Determine if system components have applicable security-relevant software and firmware updates installed using [assignment] [assignment].
Measure the time between flaw identification and flaw remediation; and Establish the following benchmarks for taking corrective actions: [assignment].
Employ automated patch management tools to facilitate flaw remediation to the following system components: [assignment].
Install [assignment] automatically to [assignment].
Remove previous versions of [assignment] after updated versions have been installed.
Conduct root cause analysis to identify underlying causes of issues or failures. Develop actions to address the root cause of the issue or failure. Implement the actions and monitor the implementation
Implement [assignment] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code; Automatically update malicious code protection mechanisms as new rel
Update malicious code protection mechanisms only when directed by a privileged user.
Test malicious code protection mechanisms [assignment] by introducing known benign code into the system; and Verify that the detection of the code and the associated incident reporting occur.
Detect the following unauthorized operating system commands through the kernel application programming interface on [assignment]: [assignment] ; and [assignment].
Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: [assignment] ; and Incorporate the results from malicious code analysis into organizational inc
Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [assignment] ; and Unauthorized local, network, and remote connections
Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.
Employ automated tools and mechanisms to support near real-time analysis of events.
Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.
Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; Monitor inbound and outbound communications traffic [assignment] for [assignmen
Alert [assignment] when the following system-generated indications of compromise or potential compromise occur: [assignment].
Notify [assignment] of detected suspicious events; and Take the following actions upon detection: [assignment].
Test intrusion-monitoring tools and mechanisms [assignment].
Make provisions so that [assignment] is visible to [assignment].
Analyze outbound communications traffic at the external interfaces to the system and selected [assignment] to discover anomalies.
Alert [assignment] using [assignment] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [assignment].
Analyze communications traffic and event patterns for the system; Develop profiles representing common traffic and event patterns; and Use the traffic and event profiles in tuning system-monitoring de
Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.
Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
Correlate information from monitoring tools and mechanisms employed throughout the system.
Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [assignment].
Implement [assignment] of individuals who have been identified by [assignment] as posing an increased level of risk.
Implement the following additional monitoring of privileged users: [assignment].
Implement the following additional monitoring of individuals during [assignment]: [assignment].
Detect network services that have not been authorized or approved by [assignment] ; and [assignment] when detected.
Implement the following host-based monitoring mechanisms at [assignment]: [assignment].
Discover, collect, and distribute to [assignment] , indicators of compromise provided by [assignment].
Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.
Receive system security alerts, advisories, and directives from [assignment] on an ongoing basis; Generate internal security alerts, advisories, and directives as deemed necessary; Disseminate securit
Broadcast security alert and advisory information throughout the organization using [assignment].
Verify the correct operation of [assignment]; Perform the verification of the functions specified in SI-6a [assignment]; Alert [assignment] to failed security and privacy verification tests; and [assi
Implement automated mechanisms to support the management of distributed security and privacy function testing.
Report the results of security and privacy function verification to [assignment].
Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [assignment] ; and Take the following actions when unauthorized changes to the
Perform an integrity check of [assignment] [assignment].
Employ automated tools that provide notification to [assignment] upon discovering discrepancies during integrity verification.
Employ centrally managed integrity verification tools.
Automatically [assignment] when integrity violations are discovered.
Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.
Incorporate the detection of the following unauthorized changes into the organizational incident response capability: [assignment].
Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: [assignment].
Verify the integrity of the boot process of the following system components: [assignment].
Implement the following mechanisms to protect the integrity of boot firmware in [assignment]: [assignment].
Require that the integrity of the following user-installed software be verified prior to execution: [assignment].
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [assignment].
Prohibit processes from executing without supervision for more than [assignment].
Implement [assignment] for application self-protection at runtime.
Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and Update spam protection mechanisms when new releases are available in accordance with or
Automatically update spam protection mechanisms [assignment].
Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.
Check the validity of the following information inputs: [assignment].
Provide a manual override capability for input validation of the following information inputs: [assignment]; Restrict the use of the manual override capability to only [assignment] ; and Audit the use
Review and resolve input validation errors within [assignment].
Verify that the system behaves in a predictable and documented manner when invalid inputs are received.
Account for timing interactions among system components in determining appropriate responses for invalid inputs.
Restrict the use of information inputs to [assignment] and/or [assignment].
Prevent untrusted data injections.
Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and Reveal error messages only to [assignment].
Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines an
Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: [assignment].
Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: [assignment].
Use the following techniques to dispose of, destroy, or erase information following the retention period: [assignment].
Determine mean time to failure (MTTF) for the following system components in specific environments of operation: [assignment] ; and Provide substitute system components and a means to exchange active
Take system components out of service by transferring component responsibilities to substitute components no later than [assignment] of mean time to failure.
Manually initiate transfers between active and standby system components when the use of the active component reaches [assignment] of the mean time to failure.
If system component failures are detected: Ensure that the standby components are successfully and transparently installed within [assignment] ; and [assignment].
Provide [assignment] [assignment] for the system.
Implement non-persistent [assignment] that are initiated in a known state and terminated [assignment].
Obtain software and data employed during system component and service refreshes from the following trusted sources: [assignment].
[assignment] ; and Delete information when no longer needed.
Establish connections to the system on demand and terminate connections after [assignment].
Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: [assignment].
Implement the following controls to protect the system memory from unauthorized code execution: [assignment].
Implement the indicated fail-safe procedures when the indicated failures occur: [assignment].
Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle [assignment] ; and Correct or delete inaccurate or outdated persona
Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using [assignment].
Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.
Collect personally identifiable information directly from the individual.
Correct or delete personally identifiable information upon request by individuals or their designated representatives.
Notify [assignment] and individuals that the personally identifiable information has been corrected or deleted.
Remove the following elements of personally identifiable information from datasets: [assignment] ; and Evaluate [assignment] for effectiveness of de-identification.
De-identify the dataset upon collection by not collecting personally identifiable information.
Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.
Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.
Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.
Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.
Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.
Perform de-identification using validated algorithms and software that is validated to implement the algorithms.
Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.
Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: [assignment].
Refresh [assignment] at [assignment] or generate the information on demand and delete the information when no longer needed.
Identify the following alternative sources of information for [assignment]: [assignment] ; and Use an alternative information source for the execution of essential functions or services on [assignment
Based on [assignment]: Fragment the following information: [assignment] ; and Distribute the fragmented information across the following systems or system components: [assignment].
Develop, document, and disseminate to [assignment]: [assignment] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among
Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the
Establish a supply chain risk management team consisting of [assignment] to lead and support the following SCRM activities: [assignment].
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of [assignment] in coordination with [assignment]; Employ the following c
Employ a diverse set of sources for the following system components and services: [assignment].
Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: [assignment].
Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: [assignment].
Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: [assignment].
Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: [assignment].
Employ the following controls to validate that the system or system component received is genuine and has not been altered: [assignment].
Employ [assignment] and conduct [assignment] to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technolo
Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: [assignment].
Employ the following controls to ensure an adequate supply of [assignment]: [assignment].
Assess the system, system component, or system service prior to selection, acceptance, modification, or update.
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [assignment].
Employ [assignment] of the following supply chain elements, processes, and actors associated with the system, system component, or system service: [assignment].
Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: [assignment].
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the [assignment].
Implement a tamper protection program for the system, system component, or system service.
Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.
Inspect the following systems or system components [assignment] to detect tampering: [assignment].
Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and Report counterfeit system components to [
Train [assignment] to detect counterfeit system components (including hardware, software, and firmware).
Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [assignment].
Scan for counterfeit system components [assignment].
Dispose of [assignment] using the following techniques and methods: [assignment].