| 3.1.1 | Access Control | Account Management | a. Define the types of system accounts allowed and prohibited.
b. Create, enable, modify, disable, and remove system accounts in accordance with policy, procedures, prerequisites, and criteria.
c. Specify:
1. Authorized users of the system,
2. Group and role membership, and
3. Access authorizations (i.e., privileges) for each account.
d. Authorize access to the system based on:
1. A valid access authorization and
2. Intended system usage.
e. Monitor the use of system accounts.
f. Disable system accounts when:
1. The accounts have expired,
2. The accounts have been inactive for [Assignment: organization-defined time period],
3. The accounts are no longer associated with a user or individual,
4. The accounts are in violation of organizational policy, or
5. Significant risks associated with individuals are discovered.
g. Notify account managers and designated personnel or roles within:
1. [Assignment: organization-defined time period] when accounts are no longer required.
2. [Assignment: organization-defined time period] when users are terminated or transferred.
3. [Assignment: organization-defined time period] when system usage or the need-to-know changes for an individual.
h. Require that users log out of the system after [Assignment: organization-defined time period] of expected inactivity or when [Assignment: organization-defined circumstances]. |
| 3.1.2 | Access Control | Access Enforcement | Enforce approved authorizations for logical access to CUI and system resources in accordance with applicable access control policies. |
| 3.1.3 | Access Control | Information Flow Enforcement | Enforce approved authorizations for controlling the flow of CUI within the system and between connected systems. |
| 3.1.4 | Access Control | Separation of Duties | a. Identify the duties of individuals requiring separation.
b. Define system access authorizations to support separation of duties. |
| 3.1.5 | Access Control | Least Privilege | a. Allow only authorized system access for users (or processes acting on behalf of users) that is necessary to accomplish assigned organizational tasks.
b. Authorize access to [Assignment: organization-defined security functions] and [Assignment: organization-defined security-relevant information].
c. Review the privileges assigned to roles or classes of users [Assignment: organization-defined frequency] to validate the need for such privileges.
d. Reassign or remove privileges, as necessary. |
| 3.1.6 | Access Control | Least Privilege – Privileged Accounts | a. Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].
b. Require that users (or roles) with privileged accounts use non-privileged accounts when accessing non-security functions or non-security information. |
| 3.1.7 | Access Control | Least Privilege - Privileged Functions | a. Prevent non-privileged users from executing privileged functions.
b. Log the execution of privileged functions. |
| 3.1.8 | Access Control | Unsuccessful Logon Attempts | a. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period].
b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt; notify system administrator; take other action] when the maximum number of unsuccessful attempts is exceeded. |
| 3.1.9 | Access Control | System Use Notification | Display a system use notification message with privacy and security notices consistent with applicable CUI rules before granting access to the system. |
| 3.1.10 | Access Control | Device Lock | a. Prevent access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended].
b. Retain the device lock until the user reestablishes access using established identification and authentication procedures.
c. Conceal, via the device lock, information previously visible on the display with a publicly viewable image. |
| 3.1.11 | Access Control | Session Termination | Terminate a user session automatically after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
| 3.1.12 | Access Control | Remote Access | a. Establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access.
b. Authorize each type of remote system access prior to establishing such connections.
c. Route remote access to the system through authorized and managed access control points.
d. Authorize the remote execution of privileged commands and remote access to security-relevant information. |
| 3.1.16 | Access Control | Wireless Access | a. Establish usage restrictions, configuration requirements, and connection requirements for each type of wireless access to the system.
b. Authorize each type of wireless access to the system prior to establishing such connections.
c. Disable, when not intended for use, wireless networking capabilities prior to issuance and deployment.
d. Protect wireless access to the system using authentication and encryption. |
| 3.1.18 | Access Control | Access Control for Mobile Devices | a. Establish usage restrictions, configuration requirements, and connection requirements for mobile devices.
b. Authorize the connection of mobile devices to the system.
c. Implement full-device or container-based encryption to protect the confidentiality of CUI on mobile devices. |
| 3.1.20 | Access Control | Use of External Systems | a. Prohibit the use of external systems unless the systems are specifically authorized.
b. Establish the following security requirements to be satisfied on external systems prior to allowing use of or access to those systems by authorized individuals: [Assignment: organization-defined security requirements].
c. Permit authorized individuals to use external systems to access the organizational system or to process, store, or transmit CUI only after:
1. Verifying that the security requirements on the external systems as specified in the organization’s system security plans have been satisfied and
2. Retaining approved system connection or processing agreements with the organizational entities hosting the external systems.
d. Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems. |
| 3.1.22 | Access Control | Publicly Accessible Content | a. Train authorized individuals to ensure that publicly accessible information does not contain CUI.
b. Review the content on publicly accessible systems for CUI and remove such information, if discovered. |
| 3.2.1 | Awareness and Training | Literacy Training and Awareness | a. Provide security literacy training to system users:
1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter,
2. When required by system changes or following [Assignment: organization-defined events], and
3. On recognizing and reporting indicators of insider threat, social engineering, and social mining.
b. Update security literacy training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
| 3.2.2 | Awareness and Training | Role-Based Training | a. Provide role-based security training to organizational personnel:
1. Before authorizing access to the system or CUI, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter
2. When required by system changes or following [Assignment: organization-defined events].
b. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
| 3.3.1 | Audit and Accountability | Event Logging | a. Specify the following event types selected for logging within the system: [Assignment: organization-defined event types].
b. Review and update the event types selected for logging [Assignment: organization-defined frequency]. |
| 3.3.2 | Audit and Accountability | Audit Record Content | a. Include the following content in audit records:
1. What type of event occurred
2. When the event occurred
3. Where the event occurred
4. Source of the event
5. Outcome of the event
6. Identity of the individuals, subjects, objects, or entities associated with the event
b. Provide additional information for audit records as needed. |
| 3.3.3 | Audit and Accountability | Audit Record Generation | a. Generate audit records for the selected event types and audit record content specified in 03.03.01 and 03.03.02.
b. Retain audit records for a time period consistent with the records retention policy. |
| 3.3.4 | Audit and Accountability | Response to Audit Logging Process Failures | a. Alert organizational personnel or roles within [Assignment: organization-defined time period] in the event of an audit logging process failure.
b. Take the following additional actions: [Assignment: organization-defined additional actions]. |
| 3.3.5 | Audit and Accountability | Audit Record Review, Analysis, and Reporting | a. Review and analyze system audit records [Assignment: organization-defined frequency] for indications and the potential impact of inappropriate or unusual activity.
b. Report findings to organizational personnel or roles.
c. Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. |
| 3.3.6 | Audit and Accountability | Audit Record Reduction and Report Generation | a. Implement an audit record reduction and report generation capability that supports audit record review, analysis, reporting requirements, and after-the-fact investigations of incidents.
b. Preserve the original content and time ordering of audit records. |
| 3.3.7 | Audit and Accountability | Time Stamps | a. Use internal system clocks to generate time stamps for audit records.
b. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time (UTC), have a fixed local time offset from UTC, or include the local time offset as part of the time stamp. |
| 3.3.8 | Audit and Accountability | Protection of Audit Information | a. Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
b. Authorize access to management of audit logging functionality to only a subset of privileged users or roles. |
| 3.4.1 | Configuration Management | Baseline Configuration | a. Develop and maintain under configuration control, a current baseline configuration of the system.
b. Review and update the baseline configuration of the system [Assignment: organization-defined frequency] and when system components are installed or modified. |
| 3.4.2 | Configuration Management | Configuration Settings | a. Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements: [Assignment: organization-defined configuration settings].
b. Identify, document, and approve any deviations from established configuration settings. |
| 3.4.3 | Configuration Management | Configuration Change Control | a. Define the types of changes to the system that are configuration-controlled.
b. Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts.
c. Implement and document approved configuration-controlled changes to the system.
d. Monitor and review activities associated with configuration-controlled changes to the system. |
| 3.4.4 | Configuration Management | Impact Analyses | a. Analyze changes to the system to determine potential security impacts prior to change implementation.
b. Verify that the security requirements for the system continue to be satisfied after the system changes have been implemented. |
| 3.4.5 | Configuration Management | Access Restrictions for Change | Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. |
| 3.4.6 | Configuration Management | Least Functionality | a. Configure the system to provide only mission-essential capabilities.
b. Prohibit or restrict use of the following functions, ports, protocols, connections, and services: [Assignment: organization-defined functions, ports, protocols, connections, and services].
c. Review the system [Assignment: organization-defined frequency] to identify unnecessary or nonsecure functions, ports, protocols, connections, and services.
d. Disable or remove functions, ports, protocols, connections, and services that are unnecessary or nonsecure. |
| 3.4.8 | Configuration Management | Authorized Software – Allow by Exception | a. Identify software programs authorized to execute on the system.
b. Implement a deny-all, allow-by-exception policy for the execution of authorized software programs on the system.
c. Review and update the list of authorized software programs [Assignment: organization-defined frequency]. |
| 3.4.10 | Configuration Management | System Component Inventory | a. Develop and document an inventory of system components.
b. Review and update the system component inventory [Assignment: organization-defined frequency].
c. Update the system component inventory as part of installations, removals, and system updates. |
| 3.4.11 | Configuration Management | Information Location | a. Identify and document the location of CUI and the system components on which the information is processed and stored.
b. Document changes to the system or system component location where CUI is processed and stored. |
| 3.4.12 | Configuration Management | System and Component Configuration for High-Risk Areas | a. Issue systems or system components with the following configurations to individuals traveling to high-risk locations: [Assignment: organization-defined system configurations].
b. Apply the following security requirements to the systems or components when the individuals return from travel: [Assignment: organization-defined security requirements]. |
| 3.5.1 | Identification and Authentication | User Identification and Authentication | a. Uniquely identify and authenticate system users, and associate that unique identification with processes acting on behalf of those users.
b. Re-authenticate users when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
| 3.5.2 | Identification and Authentication | Device Identification and Authentication | Uniquely identify and authenticate [Assignment: organization-defined devices or types of devices] before establishing a system connection. |
| 3.5.3 | Identification and Authentication | Multi-Factor Authentication | Implement multi-factor authentication for access to privileged and non-privileged accounts. |
| 3.5.4 | Identification and Authentication | Replay-Resistant Authentication | Implement replay-resistant authentication mechanisms for access to privileged and non-privileged accounts. |
| 3.5.5 | Identification and Authentication | Identifier Management | a. Receive authorization from organizational personnel or roles to assign an individual, group, role, service, or device identifier.
b. Select and assign an identifier that identifies an individual, group, role, service, or device.
c. Prevent the reuse of identifiers for [Assignment: organization-defined time period].
d. Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
| 3.5.7 | Identification and Authentication | Password Management | a. Maintain a list of commonly-used, expected, or compromised passwords, and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised.
b. Verify that passwords are not found on the list of commonly used, expected, or compromised passwords when users create or update passwords.
c. Transmit passwords only over cryptographically protected channels.
d. Store passwords in a cryptographically protected form.
e. Select a new password upon first use after account recovery.
f. Enforce the following composition and complexity rules for passwords: [Assignment: organization-defined composition and complexity rules]. |
| 3.5.11 | Identification and Authentication | Authentication Feedback | Obscure feedback of authentication information during the authentication process. |
| 3.5.12 | Identification and Authentication | Authenticator Management | a. Verify the identity of the individual, group, role, service, or device receiving the authenticator as part of the initial authenticator distribution.
b. Establish initial authenticator content for any authenticators issued by the organization.
c. Establish and implement administrative procedures for initial authenticator distribution; for lost, compromised, or damaged authenticators; and for revoking authenticators.
d. Change default authenticators at first use.
e. Change or refresh authenticators [Assignment: organization-defined frequency] or when the following events occur: [Assignment: organization-defined events].
f. Protect authenticator content from unauthorized disclosure and modification. |
| 3.6.1 | Incident Response | Incident Handling | Implement an incident-handling capability that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery. |
| 3.6.2 | Incident Response | Incident Monitoring, Reporting, and Response Assistance | a. Track and document system security incidents.
b. Report suspected incidents to the organizational incident response capability within [Assignment: organization-defined time period].
c. Report incident information to [Assignment: organization-defined authorities].
d. Provide an incident response support resource that offers advice and assistance to system users on handling and reporting incidents. |
| 3.6.3 | Incident Response | Incident Response Testing | Test the effectiveness of the incident response capability [Assignment: organization-defined frequency]. |
| 3.6.4 | Incident Response | Incident Response Training | a. Provide incident response training to system users consistent with assigned roles and responsibilities:
1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access,
2. When required by system changes, and
3. [Assignment: organization-defined frequency] thereafter.
b. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
| 3.6.5 | Incident Response | Incident Response Plan | a. Develop an incident response plan that:
1. Provides the organization with a roadmap for implementing its incident response capability,
2. Describes the structure and organization of the incident response capability,
3. Provides a high-level approach for how the incident response capability fits into the overall organization,
4. Defines reportable incidents,
5. Addresses the sharing of incident information, and
6. Designates responsibilities to organizational entities, personnel, or roles.
b. Distribute copies of the incident response plan to designated incident response personnel (identified by name and/or by role) and organizational elements.
c. Update the incident response plan to address system and organizational changes or problems encountered during plan implementation, execution, or testing.
d. Protect the incident response plan from unauthorized disclosure. |
| 3.7.4 | Maintenance | Maintenance Tools | a. Approve, control, and monitor the use of system maintenance tools.
b. Check media with diagnostic and test programs for malicious code before it is used in the system.
c. Prevent the removal of system maintenance equipment containing CUI by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility. |
| 3.7.5 | Maintenance | Nonlocal Maintenance | a. Approve and monitor nonlocal maintenance and diagnostic activities.
b. Implement multi-factor authentication and replay resistance in the establishment of nonlocal maintenance and diagnostic sessions.
c. Terminate session and network connections when nonlocal maintenance is completed. |
| 3.7.6 | Maintenance | Maintenance Personnel | a. Establish a process for maintenance personnel authorization.
b. Maintain a list of authorized maintenance organizations or personnel.
c. Verify that non-escorted personnel who perform maintenance on the system possess the required access authorizations.
d. Designate organizational personnel with required access authorizations and technical competence to supervise the maintenance activities of personnel who do not possess the required access authorizations. |
| 3.8.1 | Media Protection | Media Storage | Physically control and securely store system media that contain CUI. |
| 3.8.2 | Media Protection | Media Access | Restrict access to CUI on system media to authorized personnel or roles. |
| 3.8.3 | Media Protection | Media Sanitization | Sanitize system media that contain CUI prior to disposal, release out of organizational control, or release for reuse. |
| 3.8.4 | Media Protection | Media Marking | Mark system media that contain CUI to indicate distribution limitations, handling caveats, and applicable CUI markings. |
| 3.8.5 | Media Protection | Media Transport | a. Protect and control system media that contain CUI during transport outside of controlled areas.
b. Maintain accountability of system media that contain CUI during transport outside of controlled areas.
c. Document activities associated with the transport of system media that contain CUI. |
| 3.8.7 | Media Protection | Media Use | a. Restrict or prohibit the use of [Assignment: organization-defined types of system media].
b. Prohibit the use of removable system media without an identifiable owner. |
| 3.8.9 | Media Protection | System Backup – Cryptographic Protection | a. Protect the confidentiality of backup information.
b. Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI at backup storage locations. |
| 3.9.1 | Personnel Security | Personnel Screening | a. Screen individuals prior to authorizing access to the system.
b. Rescreen individuals in accordance with [Assignment: organization-defined conditions requiring rescreening]. |
| 3.9.2 | Personnel Security | Personnel Termination and Transfer | a. When individual employment is terminated:
1. Disable system access within [Assignment: organization-defined time period],
2. Terminate or revoke authenticators and credentials associated with the individual, and
3. Retrieve security-related system property.
b. When individuals are reassigned or transferred to other positions in the organization:
1. Review and confirm the ongoing operational need for current logical and physical access authorizations to the system and facility, and
2. Modify access authorization to correspond with any changes in operational need. |
| 3.10.1 | Physical Protection | Physical Access Authorizations | a. Develop, approve, and maintain a list of individuals with authorized access to the facility where the system resides.
b. Issue authorization credentials for facility access.
c. Review the facility access list [Assignment: organization-defined frequency].
d. Remove individuals from the facility access list when access is no longer required. |
| 3.10.2 | Physical Protection | Monitoring Physical Access | a. Monitor physical access to the facility where the system resides to detect and respond to physical security incidents.
b. Review physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]. |
| 3.10.6 | Physical Protection | Alternate Work Site | a. Determine alternate work sites allowed for use by employees.
b. Employ the following security requirements at alternate work sites: [Assignment: organization-defined security requirements]. |
| 3.10.7 | Physical Protection | Physical Access Control | a. Enforce physical access authorizations at entry and exit points to the facility where the system resides by:
1. Verifying individual physical access authorizations before granting access to the facility and
2. Controlling ingress and egress with physical access control systems, devices, or guards.
b. Maintain physical access audit logs for entry or exit points.
c. Escort visitors, and control visitor activity.
d. Secure keys, combinations, and other physical access devices.
e. Control physical access to output devices to prevent unauthorized individuals from obtaining access to CUI. |
| 3.10.8 | Physical Protection | Access Control for Transmission | Control physical access to system distribution and transmission lines within organizational facilities. |
| 3.11.1 | Risk Assessment | Risk Assessment | a. Assess the risk (including supply chain risk) of unauthorized disclosure resulting from the processing, storage, or transmission of CUI.
b. Update risk assessments [Assignment: organization-defined frequency]. |
| 3.11.2 | Risk Assessment | Vulnerability Monitoring and Scanning | a. Monitor and scan the system for vulnerabilities [Assignment: organization-defined frequency] and when new vulnerabilities affecting the system are identified.
b. Remediate system vulnerabilities within [Assignment: organization-defined response times].
c. Update system vulnerabilities to be scanned [Assignment: organization-defined frequency] and when new vulnerabilities are identified and reported. |
| 3.11.4 | Risk Assessment | Risk Response | Respond to findings from security assessments, monitoring, and audits. |
| 3.12.1 | Security Assessment and Monitoring | Security Assessment | Assess the security requirements for the system and its environment of operation [Assignment: organization-defined frequency] to determine if the requirements have been satisfied. |
| 3.12.2 | Security Assessment and Monitoring | Plan of Action and Milestones | a. Develop a plan of action and milestones for the system:
1. To document the planned remediation actions to correct weaknesses or deficiencies noted during security assessments and
2. To reduce or eliminate known system vulnerabilities.
b. Update the existing plan of action and milestones based on the findings from:
1. Security assessments,
2. Audits or reviews, and
3. Continuous monitoring activities. |
| 3.12.3 | Security Assessment and Monitoring | Continuous Monitoring | Develop and implement a system-level continuous monitoring strategy that includes ongoing monitoring and security assessments. |
| 3.12.5 | Security Assessment and Monitoring | Information Exchange | a. Approve and manage the exchange of CUI between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service-level agreements; user agreements; non-disclosure agreements; other types of agreements].
b. Document interface characteristics, security requirements, and responsibilities for each system as part of the exchange agreements.
c. Review and update the exchange agreements [Assignment: organization-defined frequency]. |
| 3.13.1 | System and Communications Protection | Boundary Protection | a. Monitor and control communications at external managed interfaces to the system and key internal managed interfaces within the system.
b. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
c. Connect to external systems only through managed interfaces that consist of boundary protection devices arranged in accordance with an organizational security architecture. |
| 3.13.4 | System and Communications Protection | Information in Shared System Resources | Prevent unauthorized and unintended information transfer via shared system resources. |
| 3.13.6 | System and Communications Protection | Network Communications – Deny by Default – Allow by Exception | Deny network communications traffic by default, and allow network communications traffic by exception. |
| 3.13.8 | System and Communications Protection | Transmission and Storage Confidentiality | Implement cryptographic mechanisms to prevent the unauthorized disclosure of CUI during transmission and while in storage. |
| 3.13.9 | System and Communications Protection | Network Disconnect | Terminate the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. |
| 3.13.10 | System and Communications Protection | Cryptographic Key Establishment and Management | Establish and manage cryptographic keys in the system in accordance with the following key management requirements: [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction]. |
| 3.13.11 | System and Communications Protection | Cryptographic Protection | Implement the following types of cryptography to protect the confidentiality of CUI: [Assignment: organization-defined types of cryptography]. |
| 3.13.12 | System and Communications Protection | Collaborative Computing Devices and Applications | a. Prohibit the remote activation of collaborative computing devices and applications with the following exceptions: [Assignment: organization-defined exceptions where remote activation is to be allowed].
b. Provide an explicit indication of use to users physically present at the devices. |
| 3.13.13 | System and Communications Protection | Mobile Code | a. Define acceptable mobile code and mobile code technologies.
b. Authorize, monitor, and control the use of mobile code. |
| 3.13.15 | System and Communications Protection | Session Authenticity | Protect the authenticity of communications sessions. |
| 3.14.1 | System and Information Integrity | Flaw Remediation | a. Identify, report, and correct system flaws.
b. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates. |
| 3.14.2 | System and Information Integrity | Malicious Code Protection | a. Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
b. Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures.
c. Configure malicious code protection mechanisms to:
1. Perform scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed; and
2. Block malicious code, quarantine malicious code, or take other mitigation actions in response to malicious code detection. |
| 3.14.3 | System and Information Integrity | Security Alerts, Advisories, and Directives | a. Receive system security alerts, advisories, and directives from external organizations on an ongoing basis.
b. Generate and disseminate internal system security alerts, advisories, and directives, as necessary. |
| 3.14.6 | System and Information Integrity | System Monitoring | a. Monitor the system to detect:
1. Attacks and indicators of potential attacks and
2. Unauthorized connections.
b. Identify unauthorized use of the system.
c. Monitor inbound and outbound communications traffic to detect unusual or unauthorized activities or conditions. |
| 3.14.8 | System and Information Integrity | Information Management and Retention | Manage and retain CUI within the system and CUI output from the system in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements. |
| 3.15.1 | Planning | Policy and Procedures | a. Develop, document, and disseminate to organizational personnel or roles the policies and procedures needed to satisfy the security requirements for the protection of CUI.
b. Review and update policies and procedures [Assignment: organization-defined frequency]. |
| 3.15.2 | Planning | System Security Plan | a. Develop a system security plan that:
1. Defines the constituent system components;
2. Identifies the information types processed, stored, and transmitted by the system;
3. Describes specific threats to the system that are of concern to the organization;
4. Describes the operational environment for the system and any dependencies on or connections to other systems or system components;
5. Provides an overview of the security requirements for the system;
6. Describes the safeguards in place or planned for meeting the security requirements;
7. Identifies individuals that fulfill system roles and responsibilities; and
8. Includes other relevant information necessary for the protection of CUI.
b. Review and update the system security plan [Assignment: organization-defined frequency].
c. Protect the system security plan from unauthorized disclosure. |
| 3.15.3 | Planning | Rules of Behavior | a. Establish rules that describe the responsibilities and expected behavior for system usage and protecting CUI.
b. Provide rules to individuals who require access to the system.
c. Receive a documented acknowledgement from individuals indicating that they have read, understand, and agree to abide by the rules of behavior before authorizing access to CUI and the system.
d. Review and update the rules of behavior [Assignment: organization-defined frequency]. |
| 3.16.1 | System and Services Acquisition | Security Engineering Principles | Apply the following systems security engineering principles to the development or modification of the system and system components: [Assignment: organization-defined systems security engineering principles]. |
| 3.16.2 | System and Services Acquisition | Unsupported System Components | a. Replace system components when support for the components is no longer available from the developer, vendor, or manufacturer.
b. Provide options for risk mitigation or alternative sources for continued support for unsupported components that cannot be replaced. |
| 3.16.3 | System and Services Acquisition | External System Services | a. Require the providers of external system services used for the processing, storage, or transmission of CUI to comply with the following security requirements: [Assignment: organization-defined security requirements].
b. Define and document user roles and responsibilities with regard to external system services, including shared responsibilities with external service providers.
c. Implement processes, methods, and techniques to monitor security requirement compliance by external service providers on an ongoing basis. |
| 3.17.1 | Supply Chain Risk Management | Supply Chain Risk Management Plan | a. Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of the system, system components, or system services.
b. Review and update the supply chain risk management plan [Assignment: organization-defined frequency].
c. Protect the supply chain risk management plan from unauthorized disclosure. |
| 3.17.2 | Supply Chain Risk Management | Acquisition Strategies, Tools, and Methods | Develop and implement acquisition strategies, contract tools, and procurement methods to identify, protect against, and mitigate supply chain risks. |
| 3.17.3 | Supply Chain Risk Management | Supply Chain Requirements and Processes | a. Establish a process for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.
b. Enforce the following security requirements to protect against supply chain risks to the system, system components, or system services and to limit the harm or consequences from supply chain-related events: [Assignment: organization-defined security requirements]. |
