Search
Family
ID | Family | Determination Statement |
---|---|---|
3.1.1[a] | Access Control | Authorized users are identified. |
3.1.1[b] | Access Control | Processes acting on behalf of authorized users are identified. |
3.1.1[c] | Access Control | Devices (including other systems) authorized to connect to the system are identified. |
3.1.1[d] | Access Control | System access is limited to authorized users. |
3.1.1[e] | Access Control | System access is limited to processes acting on behalf of authorized users. |
3.1.1[f] | Access Control | System access is limited to authorized devices (including other systems). |
3.1.2[a] | Access Control | The types of transactions and functions that authorized users are permitted to execute are defined |
3.1.2[b] | Access Control | System access is limited to the defined types of transactions and functions for authorized users. |
3.1.3[a] | Access Control | Information flow control policies are defined. |
3.1.3[b] | Access Control | Methods and enforcement mechanisms for controlling the flow of CUI are defined. |
3.1.3[c] | Access Control | Designated sources and destinations (e.g., networks, individuals, and devices) for CUI within systems and between interconnected systems are identified. |
3.1.3[d] | Access Control | Authorizations for controlling the flow of CUI are defined. |
3.1.3[e] | Access Control | Approved authorizations for controlling the flow of CUI are enforced. |
3.1.4[a] | Access Control | The duties of individuals requiring separation to reduce the risk of malevolent activity are defined. |
3.1.4[b] | Access Control | Organization-defined duties of individuals requiring separation are separated. |
3.1.4[c] | Access Control | Separate accounts for individuals whose duties and accesses must be separated to reduce the risk of malevolent activity or collusion are established |
3.1.5[a] | Access Control | Privileged accounts are identified. |
3.1.5[b] | Access Control | Access to privileged accounts is authorized in accordance with the principle of least privilege. |
3.1.5[c] | Access Control | Security functions are identified. |
3.1.5[d] | Access Control | Access to security functions is authorized in accordance with the principle of least privilege. |
3.1.6[a] | Access Control | Nonsecurity functions are identified. |
3.1.6[b] | Access Control | Users are required to use non-privileged accounts or roles when accessing nonsecurity functions. |
3.1.7[a] | Access Control | Privileged functions are defined. |
3.1.7[b] | Access Control | Non-privileged users are defined. |
3.1.7[c] | Access Control | Non-privileged users are prevented from executing privileged functions. |
3.1.7[d] | Access Control | The execution of privileged functions is captured in audit logs. |
3.1.8[a] | Access Control | The means of limiting unsuccessful logon attempts is defined. |
3.1.8[b] | Access Control | The defined means of limiting unsuccessful logon attempts is implemented. |
3.1.9[a] | Access Control | Privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category |
3.1.9[b] | Access Control | Privacy and security notices are displayed. |
3.1.10[a] | Access Control | The period of inactivity after which the system initiates a session lock is defined. |
3.1.10[b] | Access Control | Access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity. |
3.1.10[c] | Access Control | Previously visible information is concealed via a pattern-hiding display after the defined period of inactivity. |
3.1.11[a] | Access Control | Conditions requiring a user session to terminate are defined. |
3.1.11[b] | Access Control | A user session is automatically terminated after any of the defined conditions occur. |
3.1.12[a] | Access Control | Remote access sessions are permitted. |
3.1.12[b] | Access Control | The types of permitted remote access are identified. |
3.1.12[c] | Access Control | Remote access sessions are controlled. |
3.1.12[d] | Access Control | Remote access sessions are monitored. |
3.1.13[a] | Access Control | Cryptographic mechanisms to protect the confidentiality of remote access sessions are identified. |
3.1.13[b] | Access Control | Cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented. |
3.1.14[a] | Access Control | Managed access control points are identified and implemented. |
3.1.14[b] | Access Control | Remote access is routed through managed network access control points. |
3.1.15[a] | Access Control | Privileged commands authorized for remote execution are identified. |
3.1.15[b] | Access Control | Security-relevant information authorized to be accessed remotely is identified. |
3.1.15[c] | Access Control | The execution of the identified privileged commands via remote access is authorized. |
3.1.15[d] | Access Control | Access to the identified security-relevant information via remote access is authorized. |
3.1.16[a] | Access Control | Wireless access points are identified. |
3.1.16[b] | Access Control | Wireless access is authorized prior to allowing such connections. |
3.1.17[a] | Access Control | Wireless access to the system is protected using encryption. |
3.1.17[b] | Access Control | Wireless access to the system is protected using authentication. |
3.1.18[a] | Access Control | Mobile devices that process, store, or transmit CUI are identified. |
3.1.18[b] | Access Control | The connection of mobile devices is authorized. |
3.1.18[c] | Access Control | Mobile device connections are monitored and logged. |
3.1.19[a] | Access Control | Mobile devices and mobile computing platforms that process, store, or transmit CUI are identified. |
3.1.19[b] | Access Control | Encryption is employed to protect CUI on identified mobile devices and mobile computing platforms. |
3.1.20[a] | Access Control | Connections to external systems are identified. |
3.1.20[b] | Access Control | Use of external systems is identified. |
3.1.20[c] | Access Control | Connections to external systems are verified. |
3.1.20[d] | Access Control | Use of external systems is verified. |
3.1.20[e] | Access Control | Connections to external systems are controlled/limited. |
3.1.20[f] | Access Control | Use of external systems is controlled/limited. |
3.1.21[a] | Access Control | Use of organizational portable storage devices containing CUI on external systems is identified and documented. |
3.1.21[b] | Access Control | Limits on the use of organizational portable storage devices containing CUI on external systems are defined. |
3.1.21[c] | Access Control | Use of organizational portable storage devices containing CUI on external systems is limited as defined. |
3.1.22[a] | Access Control | Individuals authorized to post or process information on publicly accessible systems are identified. |
3.1.22[b] | Access Control | Procedures to ensure CUI is not posted or processed on publicly accessible systems are identified. |
3.1.22[c] | Access Control | A review process in in place prior to posting of any content to publicly accessible systems. |
3.1.22[d] | Access Control | Content on publicly accessible information systems is reviewed to ensure that it does not include CUI. |
3.1.22[e] | Access Control | Mechanisms are in place to remove and address improper posting of CUI. |
3.2.1[a] | Awareness and Training | Security risks associated with organizational activities involving CUI are identified. |
3.2.1[b] | Awareness and Training | Policies, standards, and procedures related to the security of the system are identified. |
3.2.1[c] | Awareness and Training | Managers, systems administrators, and users of the system are made aware of the security risks associated with their activities. |
3.2.1[d] | Awareness and Training | Managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system. |
3.2.2[a] | Awareness and Training | Information security-related duties, roles, and responsibilities are defined. |
3.2.2[b] | Awareness and Training | Information security-related duties, roles, and responsibilities are assigned to designated personnel. |
3.2.2[c] | Awareness and Training | Personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities. |
3.2.3[a] | Awareness and Training | Potential indicators associated with insider threats are identified. |
3.2.3[b] | Awareness and Training | Security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees. |
3.3.1[a] | Audit and Accountability | Audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified. |
3.3.1[b] | Audit and Accountability | The content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined. |
3.3.1[c] | Audit and Accountability | Audit records are created (generated). |
3.3.1[d] | Audit and Accountability | Audit records, once created, contain the defined content. |
3.3.1[e] | Audit and Accountability | Retention requirements for audit records are defined. |
3.3.1[f] | Audit and Accountability | Audit records are retained as defined. |
3.3.2[a] | Audit and Accountability | The content of the audit records needed to support the ability to uniquely trace users to their actions is defined. |
3.3.2[b] | Audit and Accountability | Audit records, once created, contain the defined content. |
3.3.3[a] | Audit and Accountability | A process for determining when to review logged events is defined. |
3.3.3[b] | Audit and Accountability | Event types being logged are reviewed in accordance with the defined review process. |
3.3.3[c] | Audit and Accountability | Event types being logged are updated based on the review. |
3.3.4[a] | Audit and Accountability | Personnel or roles to be alerted in the event of an audit logging process failure are identified. |
3.3.4[b] | Audit and Accountability | Types of audit logging process failures for which alert will be generated are defined. |
3.3.4[c] | Audit and Accountability | Identified personnel or roles are alerted in the event of an audit logging process failure. |
3.3.5[a] | Audit and Accountability | Audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined. |
3.3.5[b] | Audit and Accountability | Defined audit record review, analysis, and reporting processes are correlated. |
3.3.6[a] | Audit and Accountability | An audit record reduction capability that supports on-demand analysis is provided. |
3.3.6[b] | Audit and Accountability | A report generation capability that supports on-demand reporting is provided. |
3.3.7[a] | Audit and Accountability | Internal system clocks are used to generate time stamps for audit records. |
3.3.7[b] | Audit and Accountability | An authoritative source with which to compare and synchronize internal system clocks is specified. |
3.3.7[c] | Audit and Accountability | Internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source. |
3.3.8[a] | Audit and Accountability | Audit information is protected from unauthorized access. |
3.3.8[b] | Audit and Accountability | Audit information is protected from unauthorized modification. |
3.3.8[c] | Audit and Accountability | Audit information is protected from unauthorized deletion. |
3.3.8[d] | Audit and Accountability | Audit logging tools are protected from unauthorized access. |
3.3.8[e] | Audit and Accountability | Audit logging tools are protected from unauthorized modification. |
3.3.8[f] | Audit and Accountability | Audit logging tools are protected from unauthorized deletion. |
3.3.9[a] | Audit and Accountability | A subset of privileged users granted access to manage audit logging functionality is defined. |
3.3.9[b] | Audit and Accountability | Management of audit logging functionality is limited to the defined subset of privileged users. |
3.4.1[a] | Configuration Management | A baseline configuration is established. |
3.4.1[b] | Configuration Management | The baseline configuration includes hardware, software, firmware, and documentation. |
3.4.1[c] | Configuration Management | The baseline configuration is maintained (reviewed and updated) throughout the system development life cycle. |
3.4.1[d] | Configuration Management | A system inventory is established. |
3.4.1[e] | Configuration Management | The system inventory includes hardware, software, firmware, and documentation. |
3.4.1[f] | Configuration Management | The inventory is maintained (reviewed and updated) throughout the system development life cycle. |
3.4.2[a] | Configuration Management | Security configuration settings for information technology products employed in the system are established and included in the baseline configuration. |
3.4.2[b] | Configuration Management | Security configuration settings for information technology products employed in the system are enforced. |
3.4.3[a] | Configuration Management | Changes to the system are tracked. |
3.4.3[b] | Configuration Management | Changes to the system are reviewed. |
3.4.3[c] | Configuration Management | Changes to the system are approved or disapproved. |
3.4.3[d] | Configuration Management | Changes to the system are logged. |
3.4.4[a] | Configuration Management | The security impact of changes to each organizational system is analyzed prior to implementation. |
3.4.5[a] | Configuration Management | Physical access restrictions associated with changes to the system are defined. |
3.4.5[b] | Configuration Management | Physical access restrictions associated with changes to the system are documented. |
3.4.5[c] | Configuration Management | Physical access restrictions associated with changes to the system are approved. |
3.4.5[d] | Configuration Management | Physical access restrictions associated with changes to the system are enforced. |
3.4.5[e] | Configuration Management | Logical access restrictions associated with changes to the system are defined. |
3.4.5[f] | Configuration Management | Logical access restrictions associated with changes to the system are documented. |
3.4.5[g] | Configuration Management | Logical access restrictions associated with changes to the system are approved. |
3.4.5[h] | Configuration Management | Logical access restrictions associated with changes to the system are enforced. |
3.4.6[a] | Configuration Management | Essential system capabilities are defined based on the principle of least functionality. |
3.4.6[b] | Configuration Management | The system is configured to provide only the defined essential capabilities. |
3.4.7[a] | Configuration Management | Essential programs are defined. |
3.4.7[b] | Configuration Management | The use of nonessential programs is defined. |
3.4.7[c] | Configuration Management | The use of nonessential programs is restricted, disabled, or prevented as defined. |
3.4.7[d] | Configuration Management | Essential functions are defined. |
3.4.7[e] | Configuration Management | The use of nonessential functions is defined. |
3.4.7[f] | Configuration Management | The use of nonessential functions is restricted, disabled, or prevented as defined. |
3.4.7[g] | Configuration Management | Essential ports are defined. |
3.4.7[h] | Configuration Management | The use of nonessential ports is defined. |
3.4.7[i] | Configuration Management | The use of nonessential ports is restricted, disabled, or prevented as defined. |
3.4.7[j] | Configuration Management | Essential protocols are defined. |
3.4.7[k] | Configuration Management | The use of nonessential protocols is defined. |
3.4.7[l] | Configuration Management | The use of nonessential protocols is restricted, disabled, or prevented as defined. |
3.4.7[m] | Configuration Management | Essential services are defined. |
3.4.7[n] | Configuration Management | The use of nonessential services is defined. |
3.4.7[o] | Configuration Management | The use of nonessential services is restricted, disabled, or prevented as defined. |
3.4.8[a] | Configuration Management | A policy specifying whether whitelisting or blacklisting is to be implemented is specified. |
3.4.8[b] | Configuration Management | The software allowed to execute under whitelisting or denied use under blacklisting is specified. |
3.4.8[c] | Configuration Management | Whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified. |
3.4.9[a] | Configuration Management | A policy for controlling the installation of software by users is established. |
3.4.9[b] | Configuration Management | Installation of software by users is controlled based on the established policy. |
3.4.9[c] | Configuration Management | Installation of software by users is monitored. |
3.5.1[a] | Identification and Authentication | System users are identified. |
3.5.1[b] | Identification and Authentication | Processes acting on behalf of users are identified. |
3.5.1[c] | Identification and Authentication | Devices accessing the system are identified. |
3.5.2[a] | Identification and Authentication | The identity of each user is authenticated or verified as a prerequisite to system access. |
3.5.2[b] | Identification and Authentication | The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access. |
3.5.2[c] | Identification and Authentication | The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. |
3.5.3[a] | Identification and Authentication | Privileged accounts are identified. |
3.5.3[b] | Identification and Authentication | Multifactor authentication is implemented for local access to privileged accounts. |
3.5.3[c] | Identification and Authentication | Multifactor authentication is implemented for network access to privileged accounts. |
3.5.3[d] | Identification and Authentication | Multifactor authentication is implemented for network access to non-privileged accounts. |
3.5.4[a] | Identification and Authentication | Replay-resistant authentication mechanisms are implemented for all network account access to privileged and non-privileged accounts. |
3.5.5[a] | Identification and Authentication | A period within which identifiers cannot be reused is defined. |
3.5.5[b] | Identification and Authentication | Reuse of identifiers is prevented within the defined period. |
3.5.6[a] | Identification and Authentication | A period of inactivity after which an identifier is disabled is defined. |
3.5.6[b] | Identification and Authentication | Identifiers are disabled after the defined period of inactivity. |
3.5.7[a] | Identification and Authentication | Password complexity requirements are defined. |
3.5.7[b] | Identification and Authentication | Password change of character requirements are defined. |
3.5.7[c] | Identification and Authentication | Minimum password complexity requirements as defined are enforced when new passwords are created. |
3.5.7[d] | Identification and Authentication | Minimum password change of character requirements as defined are enforced when new passwords are created. |
3.5.8[a] | Identification and Authentication | The number of generations during which a password cannot be reused is specified. |
3.5.8[b] | Identification and Authentication | Reuse of passwords is prohibited during the specified number of generations. |
3.5.9[a] | Identification and Authentication | An immediate change to a permanent password is required when a temporary password is used for system logon. |
3.5.10[a] | Identification and Authentication | Passwords are cryptographically protected in storage. |
3.5.10[b] | Identification and Authentication | Passwords are cryptographically protected in transit. |
3.5.11[a] | Identification and Authentication | Authentication information is obscured during the authentication process. |
3.6.1[a] | Incident Response | An operational incident-handling capability is established. |
3.6.1[b] | Incident Response | The operational incident-handling capability includes preparation. |
3.6.1[c] | Incident Response | The operational incident-handling capability includes detection. |
3.6.1[d] | Incident Response | The operational incident-handling capability includes analysis. |
3.6.1[e] | Incident Response | The operational incident-handling capability includes containment. |
3.6.1[f] | Incident Response | The operational incident-handling capability includes recovery. |
3.6.1[g] | Incident Response | The operational incident-handling capability includes user response activities. |
3.6.2[a] | Incident Response | Incidents are tracked. |
3.6.2[b] | Incident Response | Incidents are documented. |
3.6.2[c] | Incident Response | Authorities to whom incidents are to be reported are identified. |
3.6.2[d] | Incident Response | Organizational officials to whom incidents are to be reported are identified. |
3.6.2[e] | Incident Response | Identified authorities are notified of incidents. |
3.6.2[f] | Incident Response | Identified organizational officials are notified of incidents. |
3.6.3[a] | Incident Response | The incident response capability is tested. |
3.7.1[a] | Maintenance | System maintenance is performed. |
3.7.2[a] | Maintenance | Tools used to conduct system maintenance are controlled. |
3.7.2[b] | Maintenance | Techniques used to conduct system maintenance are controlled. |
3.7.2[c] | Maintenance | Mechanisms used to conduct system maintenance are controlled. |
3.7.2[d] | Maintenance | Personnel used to conduct system maintenance are controlled. |
3.7.3[a] | Maintenance | Equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI. |
3.7.4[a] | Maintenance | Media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI. |
3.7.5[a] | Maintenance | Multifactor authentication is required to establish nonlocal maintenance sessions via external network connections. |
3.7.5[b] | Maintenance | Nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete. |
3.7.6[a] | Maintenance | Maintenance personnel without required access authorization are supervised during maintenance activities. |
3.8.1[a] | Media Protection | Paper media containing CUI is physically controlled. |
3.8.1[b] | Media Protection | Digital media containing CUI is physically controlled. |
3.8.1[c] | Media Protection | Paper media containing CUI is securely stored. |
3.8.1[d] | Media Protection | Digital media containing CUI is securely stored. |
3.8.2[a] | Media Protection | Access to CUI on system media is limited to authorized users. |
3.8.3[a] | Media Protection | System media containing CUI is sanitized or destroyed before disposal. |
3.8.3[b] | Media Protection | System media containing CUI is sanitized before it is released for reuse. |
3.8.4[a] | Media Protection | Media containing CUI is marked with applicable CUI markings. |
3.8.4[b] | Media Protection | Media containing CUI is marked with distribution limitations. |
3.8.5[a] | Media Protection | Access to media containing CUI is controlled. |
3.8.5[b] | Media Protection | Accountability for media containing CUI is maintained during transport outside of controlled areas. |
3.8.6[a] | Media Protection | The confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards. |
3.8.7[a] | Media Protection | The use of removable media on system components containing CUI is controlled. |
3.8.8[a] | Media Protection | The use of portable storage devices is prohibited when such devices have no identifiable owner. |
3.8.9[a] | Media Protection | The confidentiality of backup CUI is protected at storage locations. |
3.9.1[a] | Personnel Security | Individuals are screened prior to authorizing access to organizational systems. |
3.9.2[a] | Personnel Security | A policy and/or process for terminating system access authorization and any credentials coincident with personnel actions is established. |
3.9.2[b] | Personnel Security | System access and credentials are terminated consistent with personnel actions such as termination or transfer. |
3.9.2[c] | Personnel Security | The system is protected during and after personnel transfer actions. |
3.10.1[a] | Physical Protection | Authorized individuals allowed physical access are identified. |
3.10.1[b] | Physical Protection | Physical access to organizational systems is limited to authorized individuals. |
3.10.1[c] | Physical Protection | Physical access to equipment is limited to authorized individuals. |
3.10.1[d] | Physical Protection | Physical access to operating environments is limited to authorized individuals. |
3.10.2[a] | Physical Protection | The physical facility where that system resides is protected. |
3.10.2[b] | Physical Protection | The support infrastructure for that system is protected. |
3.10.2[c] | Physical Protection | The physical facility where that system resides is monitored. |
3.10.2[d] | Physical Protection | The support infrastructure for that system is monitored. |
3.10.3[a] | Physical Protection | Visitors are escorted. |
3.10.3[b] | Physical Protection | Visitor activity is monitored. |
3.10.4[a] | Physical Protection | Audit logs of physical access are maintained. |
3.10.5[a] | Physical Protection | Physical access devices are identified. |
3.10.5[b] | Physical Protection | Physical access devices are controlled. |
3.10.5[c] | Physical Protection | Physical access devices are managed. |
3.10.6[a] | Physical Protection | Safeguarding measures for CUI are defined for alternate work sites. |
3.10.6[b] | Physical Protection | Safeguarding measures for CUI are enforced for alternate work sites. |
3.11.1[a] | Risk Assessment | The frequency to assess risk to organizational operations, organizational assets, and individuals is defined. |
3.11.1[b] | Risk Assessment | Risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency. |
3.11.2[a] | Risk Assessment | The frequency to scan for vulnerabilities in an organizational system and its applications that process, store, or transmit CUI is defined. |
3.11.2[b] | Risk Assessment | Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI with the defined frequency. |
3.11.2[c] | Risk Assessment | Vulnerability scans are performed in an application that contains CUI with the defined frequency. |
3.11.2[d] | Risk Assessment | Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI when new vulnerabilities are identified. |
3.11.2[e] | Risk Assessment | Vulnerability scans are performed in an application that contains CUI when new vulnerabilities are identified. |
3.11.3[a] | Risk Assessment | Vulnerabilities are identified. |
3.11.3[b] | Risk Assessment | Vulnerabilities are remediated in accordance with risk assessments. |
3.12.1[a] | Security Assessment | The frequency of security control assessments is defined. |
3.12.1[b] | Security Assessment | Security controls are assessed with the defined frequency to determine if the controls are effective in their application. |
3.12.2[a] | Security Assessment | Deficiencies and vulnerabilities to be addressed by the plan of action are identified. |
3.12.2[b] | Security Assessment | A plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities. |
3.12.2[c] | Security Assessment | The plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities. |
3.12.3[a] | Security Assessment | Security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls. |
3.12.4[a] | Security Assessment | A system security plan is developed. |
3.12.4[b] | Security Assessment | The system boundary is described and documented in the system security plan. |
3.12.4[c] | Security Assessment | The system environment of operation is described and documented in the system security plan. |
3.12.4[d] | Security Assessment | The security requirements identified and approved by the designated authority as non-applicable are identified. |
3.12.4[e] | Security Assessment | The method of security requirement implementation is described and documented in the system security plan. |
3.12.4[f] | Security Assessment | The relationship with or connection to other systems is described and documented in the system security plan. |
3.12.4[g] | Security Assessment | The frequency to update the system security plan is defined. |
3.12.4.[h] | Security Assessment | System security plan is updated with the defined frequency. |
3.13.1[a] | System and Communications Protection | The external system boundary is defined. |
3.13.1[b] | System and Communications Protection | Key internal system boundaries are defined. |
3.13.1[c] | System and Communications Protection | Communications are monitored at the external system boundary. |
3.13.1[d] | System and Communications Protection | Communications are monitored at key internal boundaries. |
3.13.1[e] | System and Communications Protection | Communications are controlled at the external system boundary. |
3.13.1[f] | System and Communications Protection | Communications are controlled at key internal boundaries. |
3.13.1[g] | System and Communications Protection | Communications are protected at the external system boundary. |
3.13.1[h] | System and Communications Protection | Communications are protected at key internal boundaries. |
3.13.2[a] | System and Communications Protection | Architectural designs that promote effective information security are identified. |
3.13.2[b] | System and Communications Protection | Software development techniques that promote effective information security are identified. |
3.13.2[c] | System and Communications Protection | Systems engineering principles that promote effective information security are identified. |
3.13.2[d] | System and Communications Protection | Identified architectural designs that promote effective information security are employed. |
3.13.2[e] | System and Communications Protection | Identified software development techniques that promote effective information security are employed. |
3.13.2[f] | System and Communications Protection | Identified systems engineering principles that promote effective information security are employed. |
3.13.3[a] | System and Communications Protection | User functionality is identified. |
3.13.3[b] | System and Communications Protection | System management functionality is identified. |
3.13.3[c] | System and Communications Protection | User functionality is separated from system management functionality. |
3.13.4[a] | System and Communications Protection | Unauthorized and unintended information transfer via shared system resources is prevented. |
3.13.5[a] | System and Communications Protection | Publicly accessible system components are identified. |
3.13.5[b] | System and Communications Protection | Subnetworks for publicly accessible system components are physically or logically separated from internal networks. |
3.13.6[a] | System and Communications Protection | Network communications traffic is denied by default. |
3.13.6[b] | System and Communications Protection | Network communications traffic is allowed by exception. |
3.13.7[a] | System and Communications Protection | Remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling). |
3.13.8[a] | System and Communications Protection | Cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified. |
3.13.8[b] | System and Communications Protection | Alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified. |
3.13.8[c] | System and Communications Protection | Either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission. |
3.13.9[a] | System and Communications Protection | A period of inactivity to terminate network connections associated with communications sessions is defined. |
3.13.9[b] | System and Communications Protection | Network connections associated with communications sessions are terminated at the end of the sessions. |
3.13.9[c] | System and Communications Protection | Network connections associated with communications sessions are terminated after the defined period of inactivity. |
3.13.10[a] | System and Communications Protection | Cryptographic keys are established whenever cryptography is employed. |
3.13.10[b] | System and Communications Protection | Cryptographic keys are managed whenever cryptography is employed. |
3.13.11[a] | System and Communications Protection | Fips-validated cryptography is employed to protect the confidentiality of CUI. |
3.13.12[a] | System and Communications Protection | Collaborative computing devices are identified. |
3.13.12[b] | System and Communications Protection | Collaborative computing devices provide indication to users of devices in use. |
3.13.12[c] | System and Communications Protection | Remote activation of collaborative computing devices is prohibited. |
3.13.13[a] | System and Communications Protection | Use of mobile code is controlled. |
3.13.13[b] | System and Communications Protection | Use of mobile code is monitored. |
3.13.14[a] | System and Communications Protection | Use of voice over internet protocol (VOIP) technologies is controlled. |
3.13.14[b] | System and Communications Protection | Use of voice over internet protocol (VOIP) technologies is monitored. |
3.13.15[a] | System and Communications Protection | The authenticity of communications sessions is protected. |
3.13.16[a] | System and Communications Protection | The confidentiality of CUI at rest is protected. |
3.14.1[a] | System and Information Integrity | The time within which to identify system flaws is specified. |
3.14.1[b] | System and Information Integrity | System flaws are identified within the specified time frame. |
3.14.1[c] | System and Information Integrity | The time within which to report system flaws is specified. |
3.14.1[d] | System and Information Integrity | System flaws are reported within the specified time frame. |
3.14.1[e] | System and Information Integrity | The time within which to correct system flaws is specified. |
3.14.1[f] | System and Information Integrity | System flaws are corrected within the specified time frame. |
3.14.2[a] | System and Information Integrity | Designated locations for malicious code protection are identified. |
3.14.2[b] | System and Information Integrity | Protection from malicious code at designated locations is provided. |
3.14.3[a] | System and Information Integrity | Response actions to system security alerts and advisories are identified. |
3.14.3[b] | System and Information Integrity | System security alerts and advisories are monitored. |
3.14.3[c] | System and Information Integrity | Actions in response to system security alerts and advisories are taken. |
3.14.4[a] | System and Information Integrity | Malicious code protection mechanisms are updated when new releases are available. |
3.14.5[a] | System and Information Integrity | The frequency for malicious code scans is defined. |
3.14.5[b] | System and Information Integrity | Malicious code scans are performed with the defined frequency. |
3.14.5[c] | System and Information Integrity | Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed. |
3.14.6[a] | System and Information Integrity | The system is monitored to detect attacks and indicators of potential attacks. |
3.14.6[b] | System and Information Integrity | Inbound communications traffic is monitored to detect attacks and indicators of potential attacks. |
3.14.6[c] | System and Information Integrity | Outbound communications traffic is monitored to detect attacks and indicators of potential attacks. |
3.14.7[a] | System and Information Integrity | Authorized use of the system is defined. |
3.14.7[b] | System and Information Integrity | Unauthorized use of the system is identified. |