NIST 800-171A Assessment Procedure Explorer

Authorized users are identified.

Processes acting on behalf of authorized users are identified.

Devices (including other systems) authorized to connect to the system are identified.

System access is limited to authorized users.

System access is limited to processes acting on behalf of authorized users.

System access is limited to authorized devices (including other systems).

The types of transactions and functions that authorized users are permitted to execute are defined

System access is limited to the defined types of transactions and functions for authorized users.

Information flow control policies are defined.

Methods and enforcement mechanisms for controlling the flow of CUI are defined.

Designated sources and destinations (e.g., networks, individuals, and devices) for CUI within systems and between interconnected systems are identified.

Authorizations for controlling the flow of CUI are defined.

Approved authorizations for controlling the flow of CUI are enforced.

The duties of individuals requiring separation to reduce the risk of malevolent activity are defined.

Organization-defined duties of individuals requiring separation are separated.

Separate accounts for individuals whose duties and accesses must be separated to reduce the risk of malevolent activity or collusion are established

Privileged accounts are identified.

Access to privileged accounts is authorized in accordance with the principle of least privilege.

Security functions are identified.

Access to security functions is authorized in accordance with the principle of least privilege.

Nonsecurity functions are identified.

Users are required to use non-privileged accounts or roles when accessing nonsecurity functions.

Privileged functions are defined.

Non-privileged users are defined.

Non-privileged users are prevented from executing privileged functions.

The execution of privileged functions is captured in audit logs.

The means of limiting unsuccessful logon attempts is defined.

The defined means of limiting unsuccessful logon attempts is implemented.

Privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category

Privacy and security notices are displayed.

The period of inactivity after which the system initiates a session lock is defined.

Access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.

Previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.

Conditions requiring a user session to terminate are defined.

A user session is automatically terminated after any of the defined conditions occur.

Remote access sessions are permitted.

The types of permitted remote access are identified.

Remote access sessions are controlled.

Remote access sessions are monitored.

Cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.

Cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.

Managed access control points are identified and implemented.

Remote access is routed through managed network access control points.

Privileged commands authorized for remote execution are identified.

Security-relevant information authorized to be accessed remotely is identified.

The execution of the identified privileged commands via remote access is authorized.

Access to the identified security-relevant information via remote access is authorized.

Wireless access points are identified.

Wireless access is authorized prior to allowing such connections.

Wireless access to the system is protected using encryption.

Wireless access to the system is protected using authentication.

Mobile devices that process, store, or transmit CUI are identified.

The connection of mobile devices is authorized.

Mobile device connections are monitored and logged.

Mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.

Encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.

Connections to external systems are identified.

Use of external systems is identified.

Connections to external systems are verified.

Use of external systems is verified.

Connections to external systems are controlled/limited.

Use of external systems is controlled/limited.

Use of organizational portable storage devices containing CUI on external systems is identified and documented.

Limits on the use of organizational portable storage devices containing CUI on external systems are defined.

Use of organizational portable storage devices containing CUI on external systems is limited as defined.

Individuals authorized to post or process information on publicly accessible systems are identified.

Procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.

A review process in in place prior to posting of any content to publicly accessible systems.

Content on publicly accessible information systems is reviewed to ensure that it does not include CUI.

Mechanisms are in place to remove and address improper posting of CUI.

Security risks associated with organizational activities involving CUI are identified.

Policies, standards, and procedures related to the security of the system are identified.

Managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.

Managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.

Information security-related duties, roles, and responsibilities are defined.

Information security-related duties, roles, and responsibilities are assigned to designated personnel.

Personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.

Potential indicators associated with insider threats are identified.

Security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.

Audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.

The content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.

Audit records are created (generated).

Audit records, once created, contain the defined content.

Retention requirements for audit records are defined.

Audit records are retained as defined.

The content of the audit records needed to support the ability to uniquely trace users to their actions is defined.

Audit records, once created, contain the defined content.

A process for determining when to review logged events is defined.

Event types being logged are reviewed in accordance with the defined review process.

Event types being logged are updated based on the review.

Personnel or roles to be alerted in the event of an audit logging process failure are identified.

Types of audit logging process failures for which alert will be generated are defined.

Identified personnel or roles are alerted in the event of an audit logging process failure.

Audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.

Defined audit record review, analysis, and reporting processes are correlated.

An audit record reduction capability that supports on-demand analysis is provided.

A report generation capability that supports on-demand reporting is provided.

Internal system clocks are used to generate time stamps for audit records.

An authoritative source with which to compare and synchronize internal system clocks is specified.

Internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.

Audit information is protected from unauthorized access.

Audit information is protected from unauthorized modification.

Audit information is protected from unauthorized deletion.

Audit logging tools are protected from unauthorized access.

Audit logging tools are protected from unauthorized modification.

Audit logging tools are protected from unauthorized deletion.

A subset of privileged users granted access to manage audit logging functionality is defined.

Management of audit logging functionality is limited to the defined subset of privileged users.

A baseline configuration is established.

The baseline configuration includes hardware, software, firmware, and documentation.

The baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.

A system inventory is established.

The system inventory includes hardware, software, firmware, and documentation.

The inventory is maintained (reviewed and updated) throughout the system development life cycle.

Security configuration settings for information technology products employed in the system are established and included in the baseline configuration.

Security configuration settings for information technology products employed in the system are enforced.

Changes to the system are tracked.

Changes to the system are reviewed.

Changes to the system are approved or disapproved.

Changes to the system are logged.

The security impact of changes to each organizational system is analyzed prior to implementation.

Physical access restrictions associated with changes to the system are defined.

Physical access restrictions associated with changes to the system are documented.

Physical access restrictions associated with changes to the system are approved.

Physical access restrictions associated with changes to the system are enforced.

Logical access restrictions associated with changes to the system are defined.

Logical access restrictions associated with changes to the system are documented.

Logical access restrictions associated with changes to the system are approved.

Logical access restrictions associated with changes to the system are enforced.

Essential system capabilities are defined based on the principle of least functionality.

The system is configured to provide only the defined essential capabilities.

Essential programs are defined.

The use of nonessential programs is defined.

The use of nonessential programs is restricted, disabled, or prevented as defined.

Essential functions are defined.

The use of nonessential functions is defined.

The use of nonessential functions is restricted, disabled, or prevented as defined.

Essential ports are defined.

The use of nonessential ports is defined.

The use of nonessential ports is restricted, disabled, or prevented as defined.

Essential protocols are defined.

The use of nonessential protocols is defined.

The use of nonessential protocols is restricted, disabled, or prevented as defined.

Essential services are defined.

The use of nonessential services is defined.

The use of nonessential services is restricted, disabled, or prevented as defined.

A policy specifying whether whitelisting or blacklisting is to be implemented is specified.

The software allowed to execute under whitelisting or denied use under blacklisting is specified.

Whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.

A policy for controlling the installation of software by users is established.

Installation of software by users is controlled based on the established policy.

Installation of software by users is monitored.

System users are identified.

Processes acting on behalf of users are identified.

Devices accessing the system are identified.

The identity of each user is authenticated or verified as a prerequisite to system access.

The identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.

The identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.

Privileged accounts are identified.

Multifactor authentication is implemented for local access to privileged accounts.

Multifactor authentication is implemented for network access to privileged accounts.

Multifactor authentication is implemented for network access to non-privileged accounts.

Replay-resistant authentication mechanisms are implemented for all network account access to privileged and non-privileged accounts.

A period within which identifiers cannot be reused is defined.

Reuse of identifiers is prevented within the defined period.

A period of inactivity after which an identifier is disabled is defined.

Identifiers are disabled after the defined period of inactivity.

Password complexity requirements are defined.

Password change of character requirements are defined.

Minimum password complexity requirements as defined are enforced when new passwords are created.

Minimum password change of character requirements as defined are enforced when new passwords are created.

The number of generations during which a password cannot be reused is specified.

Reuse of passwords is prohibited during the specified number of generations.

An immediate change to a permanent password is required when a temporary password is used for system logon.

Passwords are cryptographically protected in storage.

Passwords are cryptographically protected in transit.

Authentication information is obscured during the authentication process.

An operational incident-handling capability is established.

The operational incident-handling capability includes preparation.

The operational incident-handling capability includes detection.

The operational incident-handling capability includes analysis.

The operational incident-handling capability includes containment.

The operational incident-handling capability includes recovery.

The operational incident-handling capability includes user response activities.

Incidents are tracked.

Incidents are documented.

Authorities to whom incidents are to be reported are identified.

Organizational officials to whom incidents are to be reported are identified.

Identified authorities are notified of incidents.

Identified organizational officials are notified of incidents.

The incident response capability is tested.

System maintenance is performed.

Tools used to conduct system maintenance are controlled.

Techniques used to conduct system maintenance are controlled.

Mechanisms used to conduct system maintenance are controlled.

Personnel used to conduct system maintenance are controlled.

Equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.

Media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

Multifactor authentication is required to establish nonlocal maintenance sessions via external network connections.

Nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.

Maintenance personnel without required access authorization are supervised during maintenance activities.

Paper media containing CUI is physically controlled.

Digital media containing CUI is physically controlled.

Paper media containing CUI is securely stored.

Digital media containing CUI is securely stored.

Access to CUI on system media is limited to authorized users.

System media containing CUI is sanitized or destroyed before disposal.

System media containing CUI is sanitized before it is released for reuse.

Media containing CUI is marked with applicable CUI markings.

Media containing CUI is marked with distribution limitations.

Access to media containing CUI is controlled.

Accountability for media containing CUI is maintained during transport outside of controlled areas.

The confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.

The use of removable media on system components containing CUI is controlled.

The use of portable storage devices is prohibited when such devices have no identifiable owner.

The confidentiality of backup CUI is protected at storage locations.

Individuals are screened prior to authorizing access to organizational systems.

A policy and/or process for terminating system access authorization and any credentials coincident with personnel actions is established.

System access and credentials are terminated consistent with personnel actions such as termination or transfer.

The system is protected during and after personnel transfer actions.

Authorized individuals allowed physical access are identified.

Physical access to organizational systems is limited to authorized individuals.

Physical access to equipment is limited to authorized individuals.

Physical access to operating environments is limited to authorized individuals.

The physical facility where that system resides is protected.

The support infrastructure for that system is protected.

The physical facility where that system resides is monitored.

The support infrastructure for that system is monitored.

Visitors are escorted.

Visitor activity is monitored.

Audit logs of physical access are maintained.

Physical access devices are identified.

Physical access devices are controlled.

Physical access devices are managed.

Safeguarding measures for CUI are defined for alternate work sites.

Safeguarding measures for CUI are enforced for alternate work sites.

The frequency to assess risk to organizational operations, organizational assets, and individuals is defined.

Risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.

The frequency to scan for vulnerabilities in an organizational system and its applications that process, store, or transmit CUI is defined.

Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI with the defined frequency.

Vulnerability scans are performed in an application that contains CUI with the defined frequency.

Vulnerability scans are performed in an organizational system that processes, stores, or transmits CUI when new vulnerabilities are identified.

Vulnerability scans are performed in an application that contains CUI when new vulnerabilities are identified.

Vulnerabilities are identified.

Vulnerabilities are remediated in accordance with risk assessments.

The frequency of security control assessments is defined.

Security controls are assessed with the defined frequency to determine if the controls are effective in their application.

Deficiencies and vulnerabilities to be addressed by the plan of action are identified.

A plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.

The plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.

Security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.

A system security plan is developed.

The system boundary is described and documented in the system security plan.

The system environment of operation is described and documented in the system security plan.

The security requirements identified and approved by the designated authority as non-applicable are identified.

The method of security requirement implementation is described and documented in the system security plan.

The relationship with or connection to other systems is described and documented in the system security plan.

The frequency to update the system security plan is defined.

System security plan is updated with the defined frequency.

The external system boundary is defined.

Key internal system boundaries are defined.

Communications are monitored at the external system boundary.

Communications are monitored at key internal boundaries.

Communications are controlled at the external system boundary.

Communications are controlled at key internal boundaries.

Communications are protected at the external system boundary.

Communications are protected at key internal boundaries.

Architectural designs that promote effective information security are identified.

Software development techniques that promote effective information security are identified.

Systems engineering principles that promote effective information security are identified.

Identified architectural designs that promote effective information security are employed.

Identified software development techniques that promote effective information security are employed.

Identified systems engineering principles that promote effective information security are employed.

User functionality is identified.

System management functionality is identified.

User functionality is separated from system management functionality.

Unauthorized and unintended information transfer via shared system resources is prevented.

Publicly accessible system components are identified.

Subnetworks for publicly accessible system components are physically or logically separated from internal networks.

Network communications traffic is denied by default.

Network communications traffic is allowed by exception.

Remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).

Cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.

Alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.

Either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.

A period of inactivity to terminate network connections associated with communications sessions is defined.

Network connections associated with communications sessions are terminated at the end of the sessions.

Network connections associated with communications sessions are terminated after the defined period of inactivity.

Cryptographic keys are established whenever cryptography is employed.

Cryptographic keys are managed whenever cryptography is employed.

Fips-validated cryptography is employed to protect the confidentiality of CUI.

Collaborative computing devices are identified.

Collaborative computing devices provide indication to users of devices in use.

Remote activation of collaborative computing devices is prohibited.

Use of mobile code is controlled.

Use of mobile code is monitored.

Use of voice over internet protocol (VOIP) technologies is controlled.

Use of voice over internet protocol (VOIP) technologies is monitored.

The authenticity of communications sessions is protected.

The confidentiality of CUI at rest is protected.

The time within which to identify system flaws is specified.

System flaws are identified within the specified time frame.

The time within which to report system flaws is specified.

System flaws are reported within the specified time frame.

The time within which to correct system flaws is specified.

System flaws are corrected within the specified time frame.

Designated locations for malicious code protection are identified.

Protection from malicious code at designated locations is provided.

Response actions to system security alerts and advisories are identified.

System security alerts and advisories are monitored.

Actions in response to system security alerts and advisories are taken.

Malicious code protection mechanisms are updated when new releases are available.

The frequency for malicious code scans is defined.

Malicious code scans are performed with the defined frequency.

Real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.

The system is monitored to detect attacks and indicators of potential attacks.

Inbound communications traffic is monitored to detect attacks and indicators of potential attacks.

Outbound communications traffic is monitored to detect attacks and indicators of potential attacks.

Authorized use of the system is defined.

Unauthorized use of the system is identified.