NIST 800-172A Assessment Procedure Explorer

Critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.

Dual authorization is employed to execute critical or sensitive system and organizational operations.

Information resources that are owned, provisioned, or issued by the organization are identified.

Access to systems and system components is restricted to only those information resources that are owned, provisioned, or issued by the organization.

Secure information transfer solutions are defined.

Information flows between security domains on connected systems are identified.

<3.1.3e_ODP[1]: solutions> are employed to control information flows between security domains on connected systems.

The frequency of providing awareness training is defined.

The frequency of updating awareness training is defined.

Threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors are identified.

Awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors is provided <3.2.1e_ODP[1]: frequency>.

Significant changes to the threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors are identified.

Awareness training is updated <3.2.1e_ODP[2]: frequency> or when there are significant changes to the threat.

Roles to be included in awareness training practical exercises are defined.

Practical exercises are identified.

Current threat scenarios are identified.

Individuals involved in training and their supervisors are identified.

Practical exercises that are aligned with current threat scenarios are included in awareness training for <3.2.2e_ODP[1]: roles>.

Feedback is provided to individuals involved in the training and their supervisors.

Approved system components are identified.

Implemented system components are identified.

An authoritative source and repository are established to provide a trusted source and accountability for approved and implemented system components.

An authoritative source and repository are maintained to provide a trusted source and accountability for approved and implemented system components.

One or more of the following is/are selected: remove the components; place the components in a quarantine or remediation network.

Automated mechanisms to detect misconfigured or unauthorized system components are identified.

Automated mechanisms are employed to detect misconfigured or unauthorized system components.

Misconfigured or unauthorized system components are detected.

After detection, system components are <3.4.2.e_ODP[1]: removed and/or placed in a quarantine or remediation network> to facilitate patching, re-configuration, or other mitigations.

Automated discovery and management tools for the inventory of system components are identified.

An up-to-date, complete, accurate, and readily available inventory of system components exists.

Automated discovery and management tools are employed to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

Systems and system components to identify and authenticate are defined.

Bidirectional authentication that is cryptographically-based is implemented.

Bidirectional authentication that is replay-resistant is implemented.

<3.5.1e_ODP[1]: systems and system components> are identified and authenticated before establishing a network connection using bidirectional authentication that is cryptographically-based and replay-resistant.

Systems and system components that do not support multifactor authentication or complex account management are identified.

Automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management are identified.

Automated mechanisms for the generation, protection, rotation, and management of passwords for systems and system components that do not support multifactor authentication or complex account management are employed.

System components that are known, authenticated, in a properly configured state, or in a trust profile are identified.

Automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems are identified.

Automated or manual/procedural mechanisms are employed to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

A time period to operate a security operations center capability is defined.

A security operations center capability is established.

The security operations center capability operates <3.6.1e_ODP[1]: time period>.

The security operations center capability is maintained.

A time period for deploying a cyber incident response team is defined.

A cyber incident response team is established.

The cyber incident response team can be deployed by the organization within <3.6.2e_ODP[1]: time period>.

The cyber incident response team is maintained.

Enhanced personnel screening for individuals is defined.

The frequency with which to reassess individual positions and access to CUI is defined.

Individuals that require enhanced personnel screening are identified.

Positions that require access to CUI are identified.

<3.9.1e_ODP[1]: enhanced personnel screening> is conducted for individuals.

Individual positions and access to CUI is reassessed <3.9.1e_ODP[2]: frequency>.

Individuals with access to CUI are identified.

Adverse information about individuals with access to CUI is defined.

Organizational systems to which individuals have access are identified.

Mechanisms are in place to protect organizational systems if adverse information develops or is obtained about individuals with access to CUI.

Sources of threat intelligence are defined.

A risk assessment methodology is identified.

<3.11.1e_ODP[1]: sources of threat intelligence> are employed as part of a risk assessment to guide and inform the development of organizational systems and security architectures.

<3.11.1e_ODP[1]: sources of threat intelligence> are employed as part of a risk assessment to guide and inform the selection of security solutions.

<3.11.1e_ODP[1]: sources of threat intelligence> are employed as part of a risk assessment to guide and inform system monitoring activities.

<3.11.1e_ODP[1]: sources of threat intelligence> are employed as part of a risk assessment to guide and inform threat hunting activities.

One or more of the following is/are selected: the frequency with which to conduct cyber threat hunting activities; the event triggering cyber threat hunting activities.

The frequency with which to conduct cyber threat hunting activities is defined. (If selected in 3.11.2e_ODP[1])

The event triggering cyber threat hunting activities is defined. (If selected in 3.11.2e_ODP[1])

Organizational systems to search for indicators of compromise are defined.

Indicators of compromise are identified.

Cyber threat hunting activities are conducted <3.11.2e_ODP[2] frequency and/or 3.11.2e_ODP[3] event> to search for indicators of compromise in <3.11.2e_ODP[4]: systems>.

Cyber threat hunting activities are conducted <3.11.2e_ODP[2] frequency and/or 3.11.2e_ODP[3] event> to detect, track, and disrupt threats that evade existing controls.

Advanced automation and analytics capabilities to predict and identify risks to organizations, systems, and system components are identified.

Analysts to predict and identify risks to organizations, systems, and system components are identified.

Advanced automation and analytics capabilities are employed in support of analysts to predict and identify risks to organizations, systems, and system components.

The system security plan documents or references the security solution selected.

The system security plan documents or references the rationale for the security solution.

The system security plan documents or references the risk determination.

The frequency to assess the effectiveness of security solutions is defined.

Security solutions are identified.

Current and accumulated threat intelligence is identified.

Anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence is identified.

The effectiveness of security solutions is assessed <3.11.5e_ODP[1]: frequency> to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

Supply chain risks associated with organizational systems and system components are identified.

Supply chain risks associated with organizational systems and system components are assessed.

Supply chain risks associated with organizational systems and system components are responded to.

Supply chain risks associated with organizational systems and system components are monitored.

The frequency for updating the supply chain risk management plan is defined.

Supply chain risks associated with organizational systems and system components are identified.

Organizational systems and system components to include in a supply chain risk management plan are identified.

A plan for managing supply chain risks associated with organizational systems and system components is developed.

The plan for managing supply chain risks is updated <3.11.7e_ODP[1]: frequency>.

The frequency to conduct penetration testing is defined.

Automated scanning tools are identified.

Ad hoc tests using subject matter experts are identified.

Penetration testing is conducted <3.12.1e_ODP[1]: frequency> leveraging automated scanning tools and ad hoc tests using subject matter experts.

System components that require diversity are defined.

Diversity in <3.13.1e_ODP[1]: system components> is created to reduce the extent of malicious code propagation.

Changes to organizational systems and system components to introduce a degree of unpredictability into operations are defined.

The frequency of changes by system and system components is defined.

Organizational systems and system components necessitating unpredictability are identified.

<3.13.2e_ODP[1]: changes> to organizational systems and system components are implemented <3.13.2e_ODP[2]: frequency> to introduce a degree of unpredictability into operations.

Technical and procedural means to confuse and mislead adversaries are defined.

<3.13.3e_ODP[1]: technical and procedural means> are employed to confuse and mislead adversaries.

One or more of the following is/are selected: physical isolation techniques; logical isolation techniques.

Physical isolation techniques are defined. (If selected in 3.13.4e_ODP[1])

Logical isolation techniques are defined. (If selected in 3.13.4e_ODP[1])

<3.13.4e_ODP[2]: physical isolation techniques and/or 3.13.4e_ODP[3] logical isolation techniques> are employed in organizational systems and system components.

System functions or resources to distribute and relocate are defined.

Frequency to distribute and relocate system functions or resources is defined.

<3.13.5e_ODP[1]: system functions or resources> are distributed and relocated <3.13.5e_ODP[2]: frequency>.

Security critical or essential software is defined.

Root of trust mechanisms or cryptographic signatures are identified.

The integrity of <3.14.1e_ODP[1]: security critical or essential software> is verified using root of trust mechanisms or cryptographic signatures.

Anomalous or suspicious behavior is defined.

Organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.

Systems and system components included in the scope of the specified enhanced security requirements are identified.

<3.14.3e_ODP[1]: systems and system components> are included in the scope of the specified enhanced security requirements.

Systems and system components that are not included in <3.14.3e_ODP[1]: systems and system components> are segregated in purpose-specific networks.

Systems and system components to refresh from a known, trusted state are defined.

The frequency to refresh systems and systems components is defined.

A known, trusted state is identified for <3.14.4e_ODP[1]: systems and system components>.

<3.14.4e_ODP[1]: systems and system components> are refreshed from a known, trusted state .

The frequency with which to conduct reviews of persistent organizational storage locations is defined.

Persistent organizational storage locations are identified.

Reviews of persistent organizational storage locations are conducted <3.14.5e_ODP[1]: frequency> to identify CUI that is no longer needed.

CUI that is no longer needed is removed.

External organizations from which to obtain threat indicator information and effective mitigations are defined.

Threat indicator information is identified.

Effective mitigations are identified.

Intrusion detection approaches are identified.

Threat hunting activities are identified.

Threat indicator information and effective mitigations obtained from <3.14.6e_ODP[1]: external organizations> are used to guide and inform intrusion detection and threat hunting.

Security critical or essential software components for which to verify correctness are defined.

Security critical or essential firmware components for which to verify correctness are defined.

Security critical or essential hardware components for which to verify correctness are defined.

Verification methods or techniques are defined.

The correctness of <3.14.7e_ODP[1]: security critical or essential software components> is verified using <3.14.7e_ODP[4]: verification methods or techniques>.

The correctness of <3.14.7e_ODP[2]: security critical or essential firmware components> is verified using <3.14.7e_ODP[4]: verification methods or techniques>.

The correctness of <3.14.7e_ODP[3]: security critical or essential hardware components> is verified using <3.14.7e_ODP[4]: verification methods or techniques>.