NIST 800-171A Assessment Procedure Explorer

Search

Family

ID Family Determination Statement
3.1.1[a]Access Control

Authorized users are identified.

3.1.1[b]Access Control

Processes acting on behalf of authorized users are identified.

3.1.1[c]Access Control

Devices (including other systems) authorized to connect to the system are identified.

3.1.1[d]Access Control

System access is limited to authorized users.

3.1.1[e]Access Control

System access is limited to processes acting on behalf of authorized users.

3.1.1[f]Access Control

System access is limited to authorized devices (including other systems).

3.1.2[a]Access Control

The types of transactions and functions that authorized users are permitted to execute are defined

3.1.2[b]Access Control

System access is limited to the defined types of transactions and functions for authorized users.

3.1.3[a]Access Control

Information flow control policies are defined.

3.1.3[b]Access Control

Methods and enforcement mechanisms for controlling the flow of CUI are defined.

3.1.3[c]Access Control

Designated sources and destinations (e.g., networks, individuals, and devices) for CUI within systems and between interconnected systems are identified.

3.1.3[d]Access Control

Authorizations for controlling the flow of CUI are defined.

3.1.3[e]Access Control

Approved authorizations for controlling the flow of CUI are enforced.

3.1.4[a]Access Control

The duties of individuals requiring separation to reduce the risk of malevolent activity are defined.

3.1.4[b]Access Control

Organization-defined duties of individuals requiring separation are separated.

3.1.4[c]Access Control

Separate accounts for individuals whose duties and accesses must be separated to reduce the risk of malevolent activity or collusion are established

3.1.5[a]Access Control

Privileged accounts are identified.

3.1.5[b]Access Control

Access to privileged accounts is authorized in accordance with the principle of least privilege.

3.1.5[c]Access Control

Security functions are identified.

3.1.5[d]Access Control

Access to security functions is authorized in accordance with the principle of least privilege.

3.1.6[a]Access Control

Nonsecurity functions are identified.

3.1.6[b]Access Control

Users are required to use non-privileged accounts or roles when accessing nonsecurity functions.

3.1.7[a]Access Control

Privileged functions are defined.

3.1.7[b]Access Control

Non-privileged users are defined.

3.1.7[c]Access Control

Non-privileged users are prevented from executing privileged functions.

3.1.7[d]Access Control

The execution of privileged functions is captured in audit logs.

3.1.8[a]Access Control

The means of limiting unsuccessful logon attempts is defined.

3.1.8[b]Access Control

The defined means of limiting unsuccessful logon attempts is implemented.

3.1.9[a]Access Control

Privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category

3.1.9[b]Access Control

Privacy and security notices are displayed.

3.1.10[a]Access Control

The period of inactivity after which the system initiates a session lock is defined.

3.1.10[b]Access Control

Access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.

3.1.10[c]Access Control

Previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.

3.1.11[a]Access Control

Conditions requiring a user session to terminate are defined.

3.1.11[b]Access Control

A user session is automatically terminated after any of the defined conditions occur.

3.1.12[a]Access Control

Remote access sessions are permitted.

3.1.12[b]Access Control

The types of permitted remote access are identified.

3.1.12[c]Access Control

Remote access sessions are controlled.

3.1.12[d]Access Control

Remote access sessions are monitored.

3.1.13[a]Access Control

Cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.

3.1.13[b]Access Control

Cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.

3.1.14[a]Access Control

Managed access control points are identified and implemented.

3.1.14[b]Access Control

Remote access is routed through managed network access control points.

3.1.15[a]Access Control

Privileged commands authorized for remote execution are identified.

3.1.15[b]Access Control

Security-relevant information authorized to be accessed remotely is identified.

3.1.15[c]Access Control

The execution of the identified privileged commands via remote access is authorized.

3.1.15[d]Access Control

Access to the identified security-relevant information via remote access is authorized.

3.1.16[a]Access Control

Wireless access points are identified.

3.1.16[b]Access Control

Wireless access is authorized prior to allowing such connections.

3.1.17[a]Access Control

Wireless access to the system is protected using encryption.

3.1.17[b]Access Control

Wireless access to the system is protected using authentication.

3.1.18[a]Access Control

Mobile devices that process, store, or transmit CUI are identified.

3.1.18[b]Access Control

The connection of mobile devices is authorized.

3.1.18[c]Access Control

Mobile device connections are monitored and logged.

3.1.19[a]Access Control

Mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.

3.1.19[b]Access Control

Encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.

3.1.20[a]Access Control

Connections to external systems are identified.

3.1.20[b]Access Control

Use of external systems is identified.

3.1.20[c]Access Control

Connections to external systems are verified.

3.1.20[d]Access Control

Use of external systems is verified.

3.1.20[e]Access Control

Connections to external systems are controlled/limited.

3.1.20[f]Access Control

Use of external systems is controlled/limited.

3.1.21[a]Access Control

Use of organizational portable storage devices containing CUI on external systems is identified and documented.

3.1.21[b]Access Control

Limits on the use of organizational portable storage devices containing CUI on external systems are defined.

3.1.21[c]Access Control

Use of organizational portable storage devices containing CUI on external systems is limited as defined.

3.1.22[a]Access Control

Individuals authorized to post or process information on publicly accessible systems are identified.

3.1.22[b]Access Control

Procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.

3.1.22[c]Access Control

A review process in in place prior to posting of any content to publicly accessible systems.

3.1.22[d]Access Control

Content on publicly accessible information systems is reviewed to ensure that it does not include CUI.

3.1.22[e]Access Control

Mechanisms are in place to remove and address improper posting of CUI.

3.2.1[a]Awareness and Training

Security risks associated with organizational activities involving CUI are identified.

3.2.1[b]Awareness and Training

Policies, standards, and procedures related to the security of the system are identified.

3.2.1[c]Awareness and Training

Managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.

3.2.1[d]Awareness and Training

Managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

3.2.2[a]Awareness and Training

Information security-related duties, roles, and responsibilities are defined.

3.2.2[b]Awareness and Training

Information security-related duties, roles, and responsibilities are assigned to designated personnel.

3.2.2[c]Awareness and Training

Personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.

3.2.3[a]Awareness and Training

Potential indicators associated with insider threats are identified.

3.2.3[b]Awareness and Training

Security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.

3.3.1[a]Audit and Accountability

Audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.

3.3.1[b]Audit and Accountability

The content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.

3.3.1[c]Audit and Accountability

Audit records are created (generated).

3.3.1[d]Audit and Accountability

Audit records, once created, contain the defined content.

3.3.1[e]Audit and Accountability

Retention requirements for audit records are defined.

3.3.1[f]Audit and Accountability

Audit records are retained as defined.

3.3.2[a]Audit and Accountability

The content of the audit records needed to support the ability to uniquely trace users to their actions is defined.

3.3.2[b]Audit and Accountability

Audit records, once created, contain the defined content.

3.3.3[a]Audit and Accountability

A process for determining when to review logged events is defined.

3.3.3[b]Audit and Accountability

Event types being logged are reviewed in accordance with the defined review process.

3.3.3[c]Audit and Accountability

Event types being logged are updated based on the review.

3.3.4[a]Audit and Accountability

Personnel or roles to be alerted in the event of an audit logging process failure are identified.

3.3.4[b]Audit and Accountability

Types of audit logging process failures for which alert will be generated are defined.

3.3.4[c]Audit and Accountability

Identified personnel or roles are alerted in the event of an audit logging process failure.

3.3.5[a]Audit and Accountability

Audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.

3.3.5[b]Audit and Accountability

Defined audit record review, analysis, and reporting processes are correlated.

3.3.6[a]Audit and Accountability

An audit record reduction capability that supports on-demand analysis is provided.

3.3.6[b]Audit and Accountability

A report generation capability that supports on-demand reporting is provided.

3.3.7[a]Audit and Accountability

Internal system clocks are used to generate time stamps for audit records.

3.3.7[b]Audit and Accountability

An authoritative source with which to compare and synchronize internal system clocks is specified.

3.3.7[c]Audit and Accountability

Internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.

3.3.8[a]Audit and Accountability

Audit information is protected from unauthorized access.

3.3.8[b]Audit and Accountability

Audit information is protected from unauthorized modification.

3.3.8[c]Audit and Accountability

Audit information is protected from unauthorized deletion.

3.3.8[d]Audit and Accountability

Audit logging tools are protected from unauthorized access.

3.3.8[e]Audit and Accountability

Audit logging tools are protected from unauthorized modification.

3.3.8[f]Audit and Accountability

Audit logging tools are protected from unauthorized deletion.

3.3.9[a]Audit and Accountability

A subset of privileged users granted access to manage audit logging functionality is defined.

3.3.9[b]Audit and Accountability

Management of audit logging functionality is limited to the defined subset of privileged users.

3.4.1[a]Configuration Management

A baseline configuration is established.

3.4.1[b]Configuration Management

The baseline configuration includes hardware, software, firmware, and documentation.

3.4.1[c]Configuration Management

The baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.

3.4.1[d]Configuration Management

A system inventory is established.

3.4.1[e]Configuration Management

The system inventory includes hardware, software, firmware, and documentation.

3.4.1[f]Configuration Management

The inventory is maintained (reviewed and updated) throughout the system development life cycle.

3.4.2[a]Configuration Management

Security configuration settings for information technology products employed in the system are established and included in the baseline configuration.

3.4.2[b]Configuration Management

Security configuration settings for information technology products employed in the system are enforced.

3.4.3[a]Configuration Management

Changes to the system are tracked.

3.4.3[b]Configuration Management

Changes to the system are reviewed.

3.4.3[c]Configuration Management

Changes to the system are approved or disapproved.

3.4.3[d]Configuration Management

Changes to the system are logged.

3.4.4[a]Configuration Management

The security impact of changes to each organizational system is analyzed prior to implementation.

3.4.5[a]Configuration Management

Physical access restrictions associated with changes to the system are defined.

3.4.5[b]Configuration Management

Physical access restrictions associated with changes to the system are documented.

3.4.5[c]Configuration Management

Physical access restrictions associated with changes to the system are approved.

3.4.5[d]Configuration Management

Physical access restrictions associated with changes to the system are enforced.

3.4.5[e]Configuration Management

Logical access restrictions associated with changes to the system are defined.

3.4.5[f]Configuration Management

Logical access restrictions associated with changes to the system are documented.

3.4.5[g]Configuration Management

Logical access restrictions associated with changes to the system are approved.

3.4.5[h]Configuration Management

Logical access restrictions associated with changes to the system are enforced.

3.4.6[a]Configuration Management

Essential system capabilities are defined based on the principle of least functionality.

3.4.6[b]Configuration Management

The system is configured to provide only the defined essential capabilities.

3.4.7[a]Configuration Management

Essential programs are defined.

3.4.7[b]Configuration Management

The use of nonessential programs is defined.

3.4.7[c]Configuration Management

The use of nonessential programs is restricted, disabled, or prevented as defined.

3.4.7[d]Configuration Management

Essential functions are defined.

3.4.7[e]Configuration Management

The use of nonessential functions is defined.

3.4.7[f]Configuration Management

The use of nonessential functions is restricted, disabled, or prevented as defined.

3.4.7[g]Configuration Management

Essential ports are defined.

3.4.7[h]Configuration Management

The use of nonessential ports is defined.

3.4.7[i]Configuration Management

The use of nonessential ports is restricted, disabled, or prevented as defined.

3.4.7[j]Configuration Management

Essential protocols are defined.

3.4.7[k]Configuration Management

The use of nonessential protocols is defined.

3.4.7[l]Configuration Management

The use of nonessential protocols is restricted, disabled, or prevented as defined.

3.4.7[m]Configuration Management

Essential services are defined.

3.4.7[n]Configuration Management

The use of nonessential services is defined.

3.4.7[o]Configuration Management

The use of nonessential services is restricted, disabled, or prevented as defined.

3.4.8[a]Configuration Management

A policy specifying whether whitelisting or blacklisting is to be implemented is specified.

3.4.8[b]Configuration Management

The software allowed to execute under whitelisting or denied use under blacklisting is specified.

3.4.8[c]Configuration Management

Whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.

3.4.9[a]Configuration Management

A policy for controlling the installation of software by users is established.

3.4.9[b]Configuration Management

Installation of software by users is controlled based on the established policy.

3.4.9[c]Configuration Management

Installation of software by users is monitored.

3.5.1[a]Identification and Authentication

System users are identified.

3.5.1[b]Identification and Authentication

Processes acting on behalf of users are identified.

3.5.1[c]Identification and Authentication

Devices accessing the system are identified.

3.5.2[a]Identification and Authentication

The identity of each user is authenticated or verified as a prerequisite to system access.

3.5.2[b]Identification and Authentication

The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.

3.5.2[c]Identification and Authentication

The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

3.5.3[a]Identification and Authentication

Privileged accounts are identified.

3.5.3[b]Identification and Authentication

Multifactor authentication is implemented for local access to privileged accounts.

3.5.3[c]Identification and Authentication

Multifactor authentication is implemented for network access to privileged accounts.

3.5.3[d]Identification and Authentication

Multifactor authentication is implemented for network access to non-privileged accounts.

3.5.4[a]Identification and Authentication

Replay-resistant authentication mechanisms are implemented for all network account access to privileged and non-privileged accounts.

3.5.5[a]Identification and Authentication

A period within which identifiers cannot be reused is defined.

3.5.5[b]Identification and Authentication

Reuse of identifiers is prevented within the defined period.

3.5.6[a]Identification and Authentication

A period of inactivity after which an identifier is disabled is defined.

3.5.6[b]Identification and Authentication

Identifiers are disabled after the defined period of inactivity.

3.5.7[a]Identification and Authentication

Password complexity requirements are defined.

3.5.7[b]Identification and Authentication

Password change of character requirements are defined.

3.5.7[c]Identification and Authentication

Minimum password complexity requirements as defined are enforced when new passwords are created.

3.5.7[d]Identification and Authentication

Minimum password change of character requirements as defined are enforced when new passwords are created.

3.5.8[a]Identification and Authentication

The number of generations during which a password cannot be reused is specified.

3.5.8[b]Identification and Authentication

Reuse of passwords is prohibited during the specified number of generations.

3.5.9[a]Identification and Authentication

An immediate change to a permanent password is required when a temporary password is used for system logon.

3.5.10[a]Identification and Authentication

Passwords are cryptographically protected in storage.

3.5.10[b]Identification and Authentication

Passwords are cryptographically protected in transit.

3.5.11[a]Identification and Authentication

Authentication information is obscured during the authentication process.

3.6.1[a]Incident Response

An operational incident-handling capability is established.

3.6.1[b]Incident Response

The operational incident-handling capability includes preparation.

3.6.1[c]Incident Response

The operational incident-handling capability includes detection.

3.6.1[d]Incident Response

The operational incident-handling capability includes analysis.

3.6.1[e]Incident Response

The operational incident-handling capability includes containment.

3.6.1[f]Incident Response

The operational incident-handling capability includes recovery.

3.6.1[g]Incident Response

The operational incident-handling capability includes user response activities.

3.6.2[a]Incident Response

Incidents are tracked.

3.6.2[b]Incident Response

Incidents are documented.

3.6.2[c]Incident Response

Authorities to whom incidents are to be reported are identified.

3.6.2[d]Incident Response

Organizational officials to whom incidents are to be reported are identified.

3.6.2[e]Incident Response

Identified authorities are notified of incidents.

3.6.2[f]Incident Response

Identified organizational officials are notified of incidents.

3.6.3[a]Incident Response

The incident response capability is tested.

3.7.1[a]Maintenance

System maintenance is performed.

3.7.2[a]Maintenance

Tools used to conduct system maintenance are controlled.

3.7.2[b]Maintenance

Techniques used to conduct system maintenance are controlled.

3.7.2[c]Maintenance

Mechanisms used to conduct system maintenance are controlled.

3.7.2[d]Maintenance

Personnel used to conduct system maintenance are controlled.

3.7.3[a]Maintenance

Equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.

3.7.4[a]Maintenance

Media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

3.7.5[a]Maintenance

Multifactor authentication is required to establish nonlocal maintenance sessions via external network connections.

3.7.5[b]Maintenance

Nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.

3.7.6[a]Maintenance

Maintenance personnel without required access authorization are supervised during maintenance activities.

3.8.1[a]Media Protection

Paper media containing CUI is physically controlled.

3.8.1[b]Media Protection

Digital media containing CUI is physically controlled.

3.8.1[c]Media Protection

Paper media containing CUI is securely stored.

3.8.1[d]Media Protection

Digital media containing CUI is securely stored.

3.8.2[a]Media Protection

Access to CUI on system media is limited to authorized users.

3.8.3[a]Media Protection

System media containing CUI is sanitized or destroyed before disposal.

3.8.3[b]Media Protection

System media containing CUI is sanitized before it is released for reuse.

3.8.4[a]Media Protection

Media containing CUI is marked with applicable CUI markings.

3.8.4[b]Media Protection

Media containing CUI is marked with distribution limitations.

3.8.5[a]Media Protection

Access to media containing CUI is controlled.

3.8.5[b]Media Protection

Accountability for media containing CUI is maintained during transport outside of controlled areas.

3.8.6[a]Media Protection

The confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.

3.8.7[a]Media Protection

The use of removable media on system components containing CUI is controlled.

3.8.8[a]Media Protection

The use of portable storage devices is prohibited when such devices have no identifiable owner.

3.8.9[a]Media Protection

The confidentiality of backup CUI is protected at storage locations.

3.9.1[a]Personnel Security

Individuals are screened prior to authorizing access to organizational systems.

3.9.2[a]Personnel Security

A policy and/or process for terminating system access authorization and any credentials coincident with personnel actions is established.

3.9.2[b]Personnel Security

System access and credentials are terminated consistent with personnel actions such as termination or transfer.

3.9.2[c]Personnel Security

The system is protected during and after personnel transfer actions.

3.10.1[a]Physical Protection

Authorized individuals allowed physical access are identified.

3.10.1[b]Physical Protection

Physical access to organizational systems is limited to authorized individuals.

3.10.1[c]Physical Protection

Physical access to equipment is limited to authorized individuals.

3.10.1[d]Physical Protection

Physical access to operating environments is limited to authorized individuals.

3.10.2[a]Physical Protection

The physical facility where that system resides is protected.

3.10.2[b]Physical Protection

The support infrastructure for that system is protected.

3.10.2[c]Physical Protection

The physical facility where that system resides is monitored.

3.10.2[d]Physical Protection

The support infrastructure for that system is monitored.

3.10.3[a]Physical Protection

Visitors are escorted.

3.10.3[b]Physical Protection

Visitor activity is monitored.

3.10.4[a]Physical Protection

Audit logs of physical access are maintained.

3.10.5[a]Physical Protection

Physical access devices are identified.

3.10.5[b]Physical Protection

Physical access devices are controlled.

3.10.5[c]Physical Protection

Physical access devices are managed.

3.10.6[a]Physical Protection

Safeguarding measures for CUI are defined for alternate work sites.

3.10.6[b]Physical Protection

Safeguarding measures for CUI are enforced for alternate work sites.

3.11.1[a]Risk Assessment

The frequency to assess risk to organizational operations, organizational assets, and individuals is defined.

3.11.1[b]Risk Assessment

Risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.

3.11.2[a]Risk Assessment

The frequency to scan for vulnerabilities in an organizational system and its applications that process, store, or transmit CUI is defined.

3.11.2[b]Risk Assessment

Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI with the defined frequency.

3.11.2[c]Risk Assessment

Vulnerability scans are performed in an application that contains CUI with the defined frequency.

3.11.2[d]Risk Assessment

Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI when new vulnerabilities are identified.

3.11.2[e]Risk Assessment

Vulnerability scans are performed in an application that contains CUI when new vulnerabilities are identified.

3.11.3[a]Risk Assessment

Vulnerabilities are identified.

3.11.3[b]Risk Assessment

Vulnerabilities are remediated in accordance with risk assessments.

3.12.1[a]Security Assessment

The frequency of security control assessments is defined.

3.12.1[b]Security Assessment

Security controls are assessed with the defined frequency to determine if the controls are effective in their application.

3.12.2[a]Security Assessment

Deficiencies and vulnerabilities to be addressed by the plan of action are identified.

3.12.2[b]Security Assessment

A plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.

3.12.2[c]Security Assessment

The plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.

3.12.3[a]Security Assessment

Security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.

3.12.4[a]Security Assessment

A system security plan is developed.

3.12.4[b]Security Assessment

The system boundary is described and documented in the system security plan.

3.12.4[c]Security Assessment

The system environment of operation is described and documented in the system security plan.

3.12.4[d]Security Assessment

The security requirements identified and approved by the designated authority as non-applicable are identified.

3.12.4[e]Security Assessment

The method of security requirement implementation is described and documented in the system security plan.

3.12.4[f]Security Assessment

The relationship with or connection to other systems is described and documented in the system security plan.

3.12.4[g]Security Assessment

The frequency to update the system security plan is defined.

3.12.4.[h]Security Assessment

System security plan is updated with the defined frequency.

3.13.1[a]System and Communications Protection

The external system boundary is defined.

3.13.1[b]System and Communications Protection

Key internal system boundaries are defined.

3.13.1[c]System and Communications Protection

Communications are monitored at the external system boundary.

3.13.1[d]System and Communications Protection

Communications are monitored at key internal boundaries.

3.13.1[e]System and Communications Protection

Communications are controlled at the external system boundary.

3.13.1[f]System and Communications Protection

Communications are controlled at key internal boundaries.

3.13.1[g]System and Communications Protection

Communications are protected at the external system boundary.

3.13.1[h]System and Communications Protection

Communications are protected at key internal boundaries.

3.13.2[a]System and Communications Protection

Architectural designs that promote effective information security are identified.

3.13.2[b]System and Communications Protection

Software development techniques that promote effective information security are identified.

3.13.2[c]System and Communications Protection

Systems engineering principles that promote effective information security are identified.

3.13.2[d]System and Communications Protection

Identified architectural designs that promote effective information security are employed.

3.13.2[e]System and Communications Protection

Identified software development techniques that promote effective information security are employed.

3.13.2[f]System and Communications Protection

Identified systems engineering principles that promote effective information security are employed.

3.13.3[a]System and Communications Protection

User functionality is identified.

3.13.3[b]System and Communications Protection

System management functionality is identified.

3.13.3[c]System and Communications Protection

User functionality is separated from system management functionality.

3.13.4[a]System and Communications Protection

Unauthorized and unintended information transfer via shared system resources is prevented.

3.13.5[a]System and Communications Protection

Publicly accessible system components are identified.

3.13.5[b]System and Communications Protection

Subnetworks for publicly accessible system components are physically or logically separated from internal networks.

3.13.6[a]System and Communications Protection

Network communications traffic is denied by default.

3.13.6[b]System and Communications Protection

Network communications traffic is allowed by exception.

3.13.7[a]System and Communications Protection

Remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).

3.13.8[a]System and Communications Protection

Cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.

3.13.8[b]System and Communications Protection

Alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.

3.13.8[c]System and Communications Protection

Either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.

3.13.9[a]System and Communications Protection

A period of inactivity to terminate network connections associated with communications sessions is defined.

3.13.9[b]System and Communications Protection

Network connections associated with communications sessions are terminated at the end of the sessions.

3.13.9[c]System and Communications Protection

Network connections associated with communications sessions are terminated after the defined period of inactivity.

3.13.10[a]System and Communications Protection

Cryptographic keys are established whenever cryptography is employed.

3.13.10[b]System and Communications Protection

Cryptographic keys are managed whenever cryptography is employed.

3.13.11[a]System and Communications Protection

Fips-validated cryptography is employed to protect the confidentiality of CUI.

3.13.12[a]System and Communications Protection

Collaborative computing devices are identified.

3.13.12[b]System and Communications Protection

Collaborative computing devices provide indication to users of devices in use.

3.13.12[c]System and Communications Protection

Remote activation of collaborative computing devices is prohibited.

3.13.13[a]System and Communications Protection

Use of mobile code is controlled.

3.13.13[b]System and Communications Protection

Use of mobile code is monitored.

3.13.14[a]System and Communications Protection

Use of voice over internet protocol (VOIP) technologies is controlled.

3.13.14[b]System and Communications Protection

Use of voice over internet protocol (VOIP) technologies is monitored.

3.13.15[a]System and Communications Protection

The authenticity of communications sessions is protected.

3.13.16[a]System and Communications Protection

The confidentiality of CUI at rest is protected.

3.14.1[a]System and Information Integrity

The time within which to identify system flaws is specified.

3.14.1[b]System and Information Integrity

System flaws are identified within the specified time frame.

3.14.1[c]System and Information Integrity

The time within which to report system flaws is specified.

3.14.1[d]System and Information Integrity

System flaws are reported within the specified time frame.

3.14.1[e]System and Information Integrity

The time within which to correct system flaws is specified.

3.14.1[f]System and Information Integrity

System flaws are corrected within the specified time frame.

3.14.2[a]System and Information Integrity

Designated locations for malicious code protection are identified.

3.14.2[b]System and Information Integrity

Protection from malicious code at designated locations is provided.

3.14.3[a]System and Information Integrity

Response actions to system security alerts and advisories are identified.

3.14.3[b]System and Information Integrity

System security alerts and advisories are monitored.

3.14.3[c]System and Information Integrity

Actions in response to system security alerts and advisories are taken.

3.14.4[a]System and Information Integrity

Malicious code protection mechanisms are updated when new releases are available.

3.14.5[a]System and Information Integrity

The frequency for malicious code scans is defined.

3.14.5[b]System and Information Integrity

Malicious code scans are performed with the defined frequency.

3.14.5[c]System and Information Integrity

Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.

3.14.6[a]System and Information Integrity

The system is monitored to detect attacks and indicators of potential attacks.

3.14.6[b]System and Information Integrity

Inbound communications traffic is monitored to detect attacks and indicators of potential attacks.

3.14.6[c]System and Information Integrity

Outbound communications traffic is monitored to detect attacks and indicators of potential attacks.

3.14.7[a]System and Information Integrity

Authorized use of the system is defined.

3.14.7[b]System and Information Integrity

Unauthorized use of the system is identified.