NIST 800-53 r5 Control Explorer

Search

Family

NIST 800-53B Control Baseline

Showing
results
ID Family Title Requirement
AC-1Access ControlPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] access control policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
  3. Review and update the current access control:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AC-2Access ControlAccount Management
  1. Define and document the types of accounts allowed and specifically prohibited for use within the system;
  2. Assign account managers;
  3. Require [Assignment: organization-defined prerequisites and criteria] for group and role membership;
  4. Specify:
    1. Authorized users of the system;
    2. Group and role membership; and
    3. Access authorizations (i.e., privileges) and [Assignment: organization-defined attributes (as required)] for each account;
  5. Require approvals by [Assignment: organization-defined personnel or roles] for requests to create accounts;
  6. Create, enable, modify, disable, and remove accounts in accordance with [Assignment: organization-defined policy, procedures, prerequisites, and criteria];
  7. Monitor the use of accounts;
  8. Notify account managers and [Assignment: organization-defined personnel or roles] within:
    1. [Assignment: organization-defined time period] when accounts are no longer required;
    2. [Assignment: organization-defined time period] when users are terminated or transferred; and
    3. [Assignment: organization-defined time period] when system usage or need-to-know changes for an individual;
  9. Authorize access to the system based on:
    1. A valid access authorization;
    2. Intended system usage; and
    3. [Assignment: organization-defined attributes (as required)];
  10. Review accounts for compliance with account management requirements [Assignment: organization-defined frequency];
  11. Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and
  12. Align account management processes with personnel termination and transfer processes.
AC-2(1)Access ControlAccount Management | Automated System Account Management

Support the management of system accounts using [Assignment: organization-defined automated mechanisms].

AC-2(2)Access ControlAccount Management | Automated Temporary and Emergency Account Management

Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account].

AC-2(3)Access ControlAccount Management | Disable Accounts

Disable accounts within [Assignment: organization-defined time period] when the accounts:

  1. Have expired;
  2. Are no longer associated with a user or individual;
  3. Are in violation of organizational policy; or
  4. Have been inactive for [Assignment: organization-defined time period].
AC-2(4)Access ControlAccount Management | Automated Audit Actions

Automatically audit account creation, modification, enabling, disabling, and removal actions.

AC-2(5)Access ControlAccount Management | Inactivity Logout

Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out].

AC-2(6)Access ControlAccount Management | Dynamic Privilege Management

Implement [Assignment: organization-defined dynamic privilege management capabilities].

AC-2(7)Access ControlAccount Management | Privileged User Accounts
  1. Establish and administer privileged user accounts in accordance with [Selection: a role-based access scheme; an attribute-based access scheme];
  2. Monitor privileged role or attribute assignments;
  3. Monitor changes to roles or attributes; and
  4. Revoke access when privileged role or attribute assignments are no longer appropriate.
AC-2(8)Access ControlAccount Management | Dynamic Account Management

Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically.

AC-2(9)Access ControlAccount Management | Restrictions on Use of Shared and Group Accounts

Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts].

AC-2(11)Access ControlAccount Management | Usage Conditions

Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts].

AC-2(12)Access ControlAccount Management | Account Monitoring for Atypical Usage
  1. Monitor system accounts for [Assignment: organization-defined atypical usage]; and
  2. Report atypical usage of system accounts to [Assignment: organization-defined personnel or roles].
AC-2(13)Access ControlAccount Management | Disable Accounts for High-risk Individuals

Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks].

AC-3Access ControlAccess Enforcement

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

AC-3(2)Access ControlAccess Enforcement | Dual Authorization

Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].

AC-3(3)Access ControlAccess Enforcement | Mandatory Access Control

Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:

  1. Is uniformly enforced across the covered subjects and objects within the system;
  2. Specifies that a subject that has been granted access to information is constrained from doing any of the following;
    1. Passing the information to unauthorized subjects or objects;
    2. Granting its privileges to other subjects;
    3. Changing one or more security attributes (specified by the policy) on subjects, objects, the system, or system components;
    4. Choosing the security attributes and attribute values (specified by the policy) to be associated with newly created or modified objects; and
    5. Changing the rules governing access control; and
  3. Specifies that [Assignment: organization-defined subjects] may explicitly be granted [Assignment: organization-defined privileges] such that they are not limited by any defined subset (or all) of the above constraints.
AC-3(4)Access ControlAccess Enforcement | Discretionary Access Control

Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:

  1. Pass the information to any other subjects or objects;
  2. Grant its privileges to other subjects;
  3. Change security attributes on subjects, objects, the system, or the system’s components;
  4. Choose the security attributes to be associated with newly created or revised objects; or
  5. Change the rules governing access control.
AC-3(5)Access ControlAccess Enforcement | Security-relevant Information

Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.

AC-3(7)Access ControlAccess Enforcement | Role-based Access Control

Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].

AC-3(8)Access ControlAccess Enforcement | Revocation of Access Authorizations

Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].

AC-3(9)Access ControlAccess Enforcement | Controlled Release

Release information outside of the system only if:

  1. The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and
  2. [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.
AC-3(10)Access ControlAccess Enforcement | Audited Override of Access Control Mechanisms

Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].

AC-3(11)Access ControlAccess Enforcement | Restrict Access to Specific Information Types

Restrict access to data repositories containing [Assignment: organization-defined information types].

AC-3(12)Access ControlAccess Enforcement | Assert and Enforce Application Access
  1. Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions];
  2. Provide an enforcement mechanism to prevent unauthorized access; and
  3. Approve access changes after initial installation of the application.
AC-3(13)Access ControlAccess Enforcement | Attribute-based Access Control

Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].

AC-3(14)Access ControlAccess Enforcement | Individual Access

Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].

AC-3(15)Access ControlAccess Enforcement | Discretionary and Mandatory Access Control
  1. Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and
  2. Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.
AC-4Access ControlInformation Flow Enforcement

Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies].

AC-4(1)Access ControlInformation Flow Enforcement | Object Security and Privacy Attributes

Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

AC-4(2)Access ControlInformation Flow Enforcement | Processing Domains

Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions.

AC-4(3)Access ControlInformation Flow Enforcement | Dynamic Information Flow Control

Enforce [Assignment: organization-defined information flow control policies].

AC-4(4)Access ControlInformation Flow Enforcement | Flow Control of Encrypted Information

Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]].

AC-4(5)Access ControlInformation Flow Enforcement | Embedded Data Types

Enforce [Assignment: organization-defined limitations] on embedding data types within other data types.

AC-4(6)Access ControlInformation Flow Enforcement | Metadata

Enforce information flow control based on [Assignment: organization-defined metadata].

AC-4(7)Access ControlInformation Flow Enforcement | One-way Flow Mechanisms

Enforce one-way information flows through hardware-based flow control mechanisms.

AC-4(8)Access ControlInformation Flow Enforcement | Security and Privacy Policy Filters
  1. Enforce information flow control using [Assignment: organization-defined security or privacy policy filters] as a basis for flow control decisions for [Assignment: organization-defined information flows]; and
  2. [Selection (one or more): Block; Strip; Modify; Quarantine] data after a filter processing failure in accordance with [Assignment: organization-defined security or privacy policy].
AC-4(9)Access ControlInformation Flow Enforcement | Human Reviews

Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions].

AC-4(10)Access ControlInformation Flow Enforcement | Enable and Disable Security or Privacy Policy Filters

Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions].

AC-4(11)Access ControlInformation Flow Enforcement | Configuration of Security or Privacy Policy Filters

Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies.

AC-4(12)Access ControlInformation Flow Enforcement | Data Type Identifiers

When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions.

AC-4(13)Access ControlInformation Flow Enforcement | Decomposition into Policy-relevant Subcomponents

When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms.

AC-4(14)Access ControlInformation Flow Enforcement | Security or Privacy Policy Filter Constraints

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content.

AC-4(15)Access ControlInformation Flow Enforcement | Detection of Unsanctioned Information

When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy].

AC-4(17)Access ControlInformation Flow Enforcement | Domain Authentication

Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer.

AC-4(19)Access ControlInformation Flow Enforcement | Validation of Metadata

When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata.

AC-4(20)Access ControlInformation Flow Enforcement | Approved Solutions

Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains.

AC-4(21)Access ControlInformation Flow Enforcement | Physical or Logical Separation of Information Flows

Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].

AC-4(22)Access ControlInformation Flow Enforcement | Access Only

Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains.

AC-4(23)Access ControlInformation Flow Enforcement | Modify Non-releasable Information

When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action].

AC-4(24)Access ControlInformation Flow Enforcement | Internal Normalized Format

When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification.

AC-4(25)Access ControlInformation Flow Enforcement | Data Sanitization

When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]].

AC-4(26)Access ControlInformation Flow Enforcement | Audit Filtering Actions

When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered.

AC-4(27)Access ControlInformation Flow Enforcement | Redundant/independent Filtering Mechanisms

When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type.

AC-4(28)Access ControlInformation Flow Enforcement | Linear Filter Pipelines

When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls.

AC-4(29)Access ControlInformation Flow Enforcement | Filter Orchestration Engines

When transferring information between different security domains, employ content filter orchestration engines to ensure that:

  1. Content filtering mechanisms successfully complete execution without errors; and
  2. Content filtering actions occur in the correct order and comply with [Assignment: organization-defined policy].
AC-4(30)Access ControlInformation Flow Enforcement | Filter Mechanisms Using Multiple Processes

When transferring information between different security domains, implement content filtering mechanisms using multiple processes.

AC-4(31)Access ControlInformation Flow Enforcement | Failed Content Transfer Prevention

When transferring information between different security domains, prevent the transfer of failed content to the receiving domain.

AC-4(32)Access ControlInformation Flow Enforcement | Process Requirements for Information Transfer

When transferring information between different security domains, the process that transfers information between filter pipelines:

  1. Does not filter message content;
  2. Validates filtering metadata;
  3. Ensures the content associated with the filtering metadata has successfully completed filtering; and
  4. Transfers the content to the destination filter pipeline.
AC-5Access ControlSeparation of Duties
  1. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
  2. Define system access authorizations to support separation of duties.
AC-6Access ControlLeast Privilege

Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.

AC-6(1)Access ControlLeast Privilege | Authorize Access to Security Functions

Authorize access for [Assignment: organization-defined individuals or roles] to:

  1. [Assignment: organization-defined security functions (deployed in hardware, software, and firmware)]; and
  2. [Assignment: organization-defined security-relevant information].
AC-6(2)Access ControlLeast Privilege | Non-privileged Access for Nonsecurity Functions

Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions.

AC-6(3)Access ControlLeast Privilege | Network Access to Privileged Commands

Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system.

AC-6(4)Access ControlLeast Privilege | Separate Processing Domains

Provide separate processing domains to enable finer-grained allocation of user privileges.

AC-6(5)Access ControlLeast Privilege | Privileged Accounts

Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles].

AC-6(6)Access ControlLeast Privilege | Privileged Access by Non-organizational Users

Prohibit privileged access to the system by non-organizational users.

AC-6(7)Access ControlLeast Privilege | Review of User Privileges
  1. Review [Assignment: organization-defined frequency] the privileges assigned to [Assignment: organization-defined roles or classes of users] to validate the need for such privileges; and
  2. Reassign or remove privileges, if necessary, to correctly reflect organizational mission and business needs.
AC-6(8)Access ControlLeast Privilege | Privilege Levels for Code Execution

Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software].

AC-6(9)Access ControlLeast Privilege | Log Use of Privileged Functions

Log the execution of privileged functions.

AC-6(10)Access ControlLeast Privilege | Prohibit Non-privileged Users from Executing Privileged Functions

Prevent non-privileged users from executing privileged functions.

AC-7Access ControlUnsuccessful Logon Attempts
  1. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and
  2. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum number of unsuccessful attempts is exceeded.
AC-7(2)Access ControlUnsuccessful Logon Attempts | Purge or Wipe Mobile Device

Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts.

AC-7(3)Access ControlUnsuccessful Logon Attempts | Biometric Attempt Limiting

Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number].

AC-7(4)Access ControlUnsuccessful Logon Attempts | Use of Alternate Authentication Factor
  1. Allow the use of [Assignment: organization-defined authentication factors] that are different from the primary authentication factors after the number of organization-defined consecutive invalid logon attempts have been exceeded; and
  2. Enforce a limit of [Assignment: organization-defined number] consecutive invalid logon attempts through use of the alternative factors by a user during a [Assignment: organization-defined time period].
AC-8Access ControlSystem Use Notification
  1. Display [Assignment: organization-defined system use notification message or banner] to users before granting access to the system that provides privacy and security notices consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines and state that:
    1. Users are accessing a U.S. Government system;
    2. System usage may be monitored, recorded, and subject to audit;
    3. Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
    4. Use of the system indicates consent to monitoring and recording;
  2. Retain the notification message or banner on the screen until users acknowledge the usage conditions and take explicit actions to log on to or further access the system; and
  3. For publicly accessible systems:
    1. Display system use information [Assignment: organization-defined conditions], before granting further access to the publicly accessible system;
    2. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and
    3. Include a description of the authorized uses of the system.
AC-9Access ControlPrevious Logon Notification

Notify the user, upon successful logon to the system, of the date and time of the last logon.

AC-9(1)Access ControlPrevious Logon Notification | Unsuccessful Logons

Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon.

AC-9(2)Access ControlPrevious Logon Notification | Successful and Unsuccessful Logons

Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period].

AC-9(3)Access ControlPrevious Logon Notification | Notification of Account Changes

Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period].

AC-9(4)Access ControlPrevious Logon Notification | Additional Logon Information

Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information].

AC-10Access ControlConcurrent Session Control

Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

AC-11Access ControlDevice Lock
  1. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and
  2. Retain the device lock until the user reestablishes access using established identification and authentication procedures.
AC-11(1)Access ControlDevice Lock | Pattern-hiding Displays

Conceal, via the device lock, information previously visible on the display with a publicly viewable image.

AC-12Access ControlSession Termination

Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

AC-12(1)Access ControlSession Termination | User-initiated Logouts

Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources].

AC-12(2)Access ControlSession Termination | Termination Message

Display an explicit logout message to users indicating the termination of authenticated communications sessions.

AC-12(3)Access ControlSession Termination | Timeout Warning Message

Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session].

AC-14Access ControlPermitted Actions Without Identification or Authentication
  1. Identify [Assignment: organization-defined user actions] that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and
  2. Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
AC-16Access ControlSecurity and Privacy Attributes
  1. Provide the means to associate [Assignment: organization-defined types of security and privacy attributes] with [Assignment: organization-defined security and privacy attribute values] for information in storage, in process, and/or in transmission;
  2. Ensure that the attribute associations are made and retained with the information;
  3. Establish the following permitted security and privacy attributes from the attributes defined in AC-16a for [Assignment: organization-defined systems]: [Assignment: organization-defined security and privacy attributes];
  4. Determine the following permitted attribute values or ranges for each of the established attributes: [Assignment: organization-defined attribute values or ranges for established attributes];
  5. Audit changes to attributes; and
  6. Review [Assignment: organization-defined security and privacy attributes] for applicability [Assignment: organization-defined frequency].
AC-16(1)Access ControlSecurity and Privacy Attributes | Dynamic Attribute Association

Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies].

AC-16(2)Access ControlSecurity and Privacy Attributes | Attribute Value Changes by Authorized Individuals

Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes.

AC-16(3)Access ControlSecurity and Privacy Attributes | Maintenance of Attribute Associations by System

Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects].

AC-16(4)Access ControlSecurity and Privacy Attributes | Association of Attributes by Authorized Individuals

Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals).

AC-16(5)Access ControlSecurity and Privacy Attributes | Attribute Displays on Objects to Be Output

Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions].

AC-16(6)Access ControlSecurity and Privacy Attributes | Maintenance of Attribute Association

Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies].

AC-16(7)Access ControlSecurity and Privacy Attributes | Consistent Attribute Interpretation

Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components.

AC-16(8)Access ControlSecurity and Privacy Attributes | Association Techniques and Technologies

Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information.

AC-16(9)Access ControlSecurity and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms

Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures].

AC-16(10)Access ControlSecurity and Privacy Attributes | Attribute Configuration by Authorized Individuals

Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects.

AC-17Access ControlRemote Access
  1. Establish and document usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and
  2. Authorize each type of remote access to the system prior to allowing such connections.
AC-17(1)Access ControlRemote Access | Monitoring and Control

Employ automated mechanisms to monitor and control remote access methods.

AC-17(2)Access ControlRemote Access | Protection of Confidentiality and Integrity Using Encryption

Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions.

AC-17(3)Access ControlRemote Access | Managed Access Control Points

Route remote accesses through authorized and managed network access control points.

AC-17(4)Access ControlRemote Access | Privileged Commands and Access
  1. Authorize the execution of privileged commands and access to security-relevant information via remote access only in a format that provides assessable evidence and for the following needs: [Assignment: organization-defined needs]; and
  2. Document the rationale for remote access in the security plan for the system.
AC-17(6)Access ControlRemote Access | Protection of Mechanism Information

Protect information about remote access mechanisms from unauthorized use and disclosure.

AC-17(9)Access ControlRemote Access | Disconnect or Disable Access

Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period].

AC-17(10)Access ControlRemote Access | Authenticate Remote Commands

Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands].

AC-18Access ControlWireless Access
  1. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
  2. Authorize each type of wireless access to the system prior to allowing such connections.
AC-18(1)Access ControlWireless Access | Authentication and Encryption

Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption.

AC-18(3)Access ControlWireless Access | Disable Wireless Networking

Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment.

AC-18(4)Access ControlWireless Access | Restrict Configurations by Users

Identify and explicitly authorize users allowed to independently configure wireless networking capabilities.

AC-18(5)Access ControlWireless Access | Antennas and Transmission Power Levels

Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries.

AC-19Access ControlAccess Control for Mobile Devices
  1. Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and
  2. Authorize the connection of mobile devices to organizational systems.
AC-19(4)Access ControlAccess Control for Mobile Devices | Restrictions for Classified Information
  1. Prohibit the use of unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official; and
  2. Enforce the following restrictions on individuals permitted by the authorizing official to use unclassified mobile devices in facilities containing systems processing, storing, or transmitting classified information:
    1. Connection of unclassified mobile devices to classified systems is prohibited;
    2. Connection of unclassified mobile devices to unclassified systems requires approval from the authorizing official;
    3. Use of internal or external modems or wireless interfaces within the unclassified mobile devices is prohibited; and
    4. Unclassified mobile devices and the information stored on those devices are subject to random reviews and inspections by [Assignment: organization-defined security officials], and if classified information is found, the incident handling policy is followed.
  3. Restrict the connection of classified mobile devices to classified systems in accordance with [Assignment: organization-defined security policies].
AC-19(5)Access ControlAccess Control for Mobile Devices | Full Device or Container-based Encryption

Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices].

AC-20Access ControlUse of External Systems
  1. [Selection (one or more): Establish [Assignment: organization-defined terms and conditions]; Identify [Assignment: organization-defined controls asserted to be implemented on external systems]], consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
    1. Access the system from external systems; and
    2. Process, store, or transmit organization-controlled information using external systems; or
  2. Prohibit the use of [Assignment: organizationally-defined types of external systems].
AC-20(1)Access ControlUse of External Systems | Limits on Authorized Use

Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:

  1. Verification of the implementation of controls on the external system as specified in the organization’s security and privacy policies and security and privacy plans; or
  2. Retention of approved system connection or processing agreements with the organizational entity hosting the external system.
AC-20(2)Access ControlUse of External Systems | Portable Storage Devices — Restricted Use

Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions].

AC-20(3)Access ControlUse of External Systems | Non-organizationally Owned Systems — Restricted Use

Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions].

AC-20(4)Access ControlUse of External Systems | Network Accessible Storage Devices — Prohibited Use

Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems.

AC-20(5)Access ControlUse of External Systems | Portable Storage Devices — Prohibited Use

Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.

AC-21Access ControlInformation Sharing
  1. Enable authorized users to determine whether access authorizations assigned to a sharing partner match the information’s access and use restrictions for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and
  2. Employ [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing and collaboration decisions.
AC-21(1)Access ControlInformation Sharing | Automated Decision Support

Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared.

AC-21(2)Access ControlInformation Sharing | Information Search and Retrieval

Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions].

AC-22Access ControlPublicly Accessible Content
  1. Designate individuals authorized to make information publicly accessible;
  2. Train authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
  3. Review the proposed content of information prior to posting onto the publicly accessible system to ensure that nonpublic information is not included; and
  4. Review the content on the publicly accessible system for nonpublic information [Assignment: organization-defined frequency] and remove such information, if discovered.
AC-23Access ControlData Mining Protection

Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining.

AC-24Access ControlAccess Control Decisions

[Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

AC-24(1)Access ControlAccess Control Decisions | Transmit Access Authorization Information

Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions.

AC-24(2)Access ControlAccess Control Decisions | No User or Process Identity

Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user.

AC-25Access ControlReference Monitor

Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.

AT-1Awareness and TrainingPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] awareness and training policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the awareness and training policy and the associated awareness and training controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the awareness and training policy and procedures; and
  3. Review and update the current awareness and training:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AT-2Awareness and TrainingLiteracy Training and Awareness
  1. Provide security and privacy literacy training to system users (including managers, senior executives, and contractors):
    1. As part of initial training for new users and [Assignment: organization-defined frequency] thereafter; and
    2. When required by system changes or following [Assignment: organization-defined events];
  2. Employ the following techniques to increase the security and privacy awareness of system users [Assignment: organization-defined awareness techniques];
  3. Update literacy training and awareness content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  4. Incorporate lessons learned from internal or external security incidents or breaches into literacy training and awareness techniques.
AT-2(1)Awareness and TrainingLiteracy Training and Awareness | Practical Exercises

Provide practical exercises in literacy training that simulate events and incidents.

AT-2(2)Awareness and TrainingLiteracy Training and Awareness | Insider Threat

Provide literacy training on recognizing and reporting potential indicators of insider threat.

AT-2(3)Awareness and TrainingLiteracy Training and Awareness | Social Engineering and Mining

Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining.

AT-2(4)Awareness and TrainingLiteracy Training and Awareness | Suspicious Communications and Anomalous System Behavior

Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code].

AT-2(5)Awareness and TrainingLiteracy Training and Awareness | Advanced Persistent Threat

Provide literacy training on the advanced persistent threat.

AT-2(6)Awareness and TrainingLiteracy Training and Awareness | Cyber Threat Environment
  1. Provide literacy training on the cyber threat environment; and
  2. Reflect current cyber threat information in system operations.
AT-3Awareness and TrainingRole-based Training
  1. Provide role-based security and privacy training to personnel with the following roles and responsibilities: [Assignment: organization-defined roles and responsibilities]:
    1. Before authorizing access to the system, information, or performing assigned duties, and [Assignment: organization-defined frequency] thereafter; and
    2. When required by system changes;
  2. Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  3. Incorporate lessons learned from internal or external security incidents or breaches into role-based training.
AT-3(1)Awareness and TrainingRole-based Training | Environmental Controls

Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls.

AT-3(2)Awareness and TrainingRole-based Training | Physical Security Controls

Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls.

AT-3(3)Awareness and TrainingRole-based Training | Practical Exercises

Provide practical exercises in security and privacy training that reinforce training objectives.

AT-3(5)Awareness and TrainingRole-based Training | Processing Personally Identifiable Information

Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls.

AT-4Awareness and TrainingTraining Records
  1. Document and monitor information security and privacy training activities, including security and privacy awareness training and specific role-based security and privacy training; and
  2. Retain individual training records for [Assignment: organization-defined time period].
AT-6Awareness and TrainingTraining Feedback

Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel].

AU-1Audit and AccountabilityPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] audit and accountability policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
  3. Review and update the current audit and accountability:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
AU-2Audit and AccountabilityEvent Logging
  1. Identify the types of events that the system is capable of logging in support of the audit function: [Assignment: organization-defined event types that the system is capable of logging];
  2. Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged;
  3. Specify the following event types for logging within the system: [Assignment: organization-defined event types (subset of the event types defined in AU-2a.) along with the frequency of (or situation requiring) logging for each identified event type];
  4. Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and
  5. Review and update the event types selected for logging [Assignment: organization-defined frequency].
AU-3Audit and AccountabilityContent of Audit Records

Ensure that audit records contain information that establishes the following:

  1. What type of event occurred;
  2. When the event occurred;
  3. Where the event occurred;
  4. Source of the event;
  5. Outcome of the event; and
  6. Identity of any individuals, subjects, or objects/entities associated with the event.
AU-3(1)Audit and AccountabilityContent of Audit Records | Additional Audit Information

Generate audit records containing the following additional information: [Assignment: organization-defined additional information].

AU-3(3)Audit and AccountabilityContent of Audit Records | Limit Personally Identifiable Information Elements

Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements].

AU-4Audit and AccountabilityAudit Log Storage Capacity

Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements].

AU-4(1)Audit and AccountabilityAudit Log Storage Capacity | Transfer to Alternate Storage

Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging.

AU-5Audit and AccountabilityResponse to Audit Logging Process Failures
  1. Alert [Assignment: organization-defined personnel or roles] within [Assignment: organization-defined time period] in the event of an audit logging process failure; and
  2. Take the following additional actions: [Assignment: organization-defined additional actions].
AU-5(1)Audit and AccountabilityResponse to Audit Logging Process Failures | Storage Capacity Warning

Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity.

AU-5(2)Audit and AccountabilityResponse to Audit Logging Process Failures | Real-time Alerts

Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts].

AU-5(3)Audit and AccountabilityResponse to Audit Logging Process Failures | Configurable Traffic Volume Thresholds

Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds.

AU-5(4)Audit and AccountabilityResponse to Audit Logging Process Failures | Shutdown on Failure

Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists.

AU-5(5)Audit and AccountabilityResponse to Audit Logging Process Failures | Alternate Audit Logging Capability

Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality].

AU-6Audit and AccountabilityAudit Record Review, Analysis, and Reporting
  1. Review and analyze system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity] and the potential impact of the inappropriate or unusual activity;
  2. Report findings to [Assignment: organization-defined personnel or roles]; and
  3. Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-6(1)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Automated Process Integration

Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms].

AU-6(3)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories

Analyze and correlate audit records across different repositories to gain organization-wide situational awareness.

AU-6(4)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Central Review and Analysis

Provide and implement the capability to centrally review and analyze audit records from multiple components within the system.

AU-6(5)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records

Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.

AU-6(6)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring

Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

AU-6(7)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Permitted Actions

Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information.

AU-6(8)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands

Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis.

AU-6(9)Audit and AccountabilityAudit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources

Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness.

AU-7Audit and AccountabilityAudit Record Reduction and Report Generation

Provide and implement an audit record reduction and report generation capability that:

  1. Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and
  2. Does not alter the original content or time ordering of audit records.
AU-7(1)Audit and AccountabilityAudit Record Reduction and Report Generation | Automatic Processing

Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records].

AU-8Audit and AccountabilityTime Stamps
  1. Use internal system clocks to generate time stamps for audit records; and
  2. Record time stamps for audit records that meet [Assignment: organization-defined granularity of time measurement] and that use Coordinated Universal Time, have a fixed local time offset from Coordinated Universal Time, or that include the local time offset as part of the time stamp.
AU-9Audit and AccountabilityProtection of Audit Information
  1. Protect audit information and audit logging tools from unauthorized access, modification, and deletion; and
  2. Alert [Assignment: organization-defined personnel or roles] upon detection of unauthorized access, modification, or deletion of audit information.
AU-9(1)Audit and AccountabilityProtection of Audit Information | Hardware Write-once Media

Write audit trails to hardware-enforced, write-once media.

AU-9(2)Audit and AccountabilityProtection of Audit Information | Store on Separate Physical Systems or Components

Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited.

AU-9(3)Audit and AccountabilityProtection of Audit Information | Cryptographic Protection

Implement cryptographic mechanisms to protect the integrity of audit information and audit tools.

AU-9(4)Audit and AccountabilityProtection of Audit Information | Access by Subset of Privileged Users

Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles].

AU-9(5)Audit and AccountabilityProtection of Audit Information | Dual Authorization

Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].

AU-9(6)Audit and AccountabilityProtection of Audit Information | Read-only Access

Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles].

AU-9(7)Audit and AccountabilityProtection of Audit Information | Store on Component with Different Operating System

Store audit information on a component running a different operating system than the system or component being audited.

AU-10Audit and AccountabilityNon-repudiation

Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation].

AU-10(1)Audit and AccountabilityNon-repudiation | Association of Identities
  1. Bind the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
  2. Provide the means for authorized individuals to determine the identity of the producer of the information.
AU-10(2)Audit and AccountabilityNon-repudiation | Validate Binding of Information Producer Identity
  1. Validate the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
  2. Perform [Assignment: organization-defined actions] in the event of a validation error.
AU-10(3)Audit and AccountabilityNon-repudiation | Chain of Custody

Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released.

AU-10(4)Audit and AccountabilityNon-repudiation | Validate Binding of Information Reviewer Identity
  1. Validate the binding of the information reviewer identity to the information at the transfer or release points prior to release or transfer between [Assignment: organization-defined security domains]; and
  2. Perform [Assignment: organization-defined actions] in the event of a validation error.
AU-11Audit and AccountabilityAudit Record Retention

Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements.

AU-11(1)Audit and AccountabilityAudit Record Retention | Long-term Retrieval Capability

Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved.

AU-12Audit and AccountabilityAudit Record Generation
  1. Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2a on [Assignment: organization-defined system components];
  2. Allow [Assignment: organization-defined personnel or roles] to select the event types that are to be logged by specific components of the system; and
  3. Generate audit records for the event types defined in AU-2c that include the audit record content defined in AU-3.
AU-12(1)Audit and AccountabilityAudit Record Generation | System-wide and Time-correlated Audit Trail

Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].

AU-12(2)Audit and AccountabilityAudit Record Generation | Standardized Formats

Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

AU-12(3)Audit and AccountabilityAudit Record Generation | Changes by Authorized Individuals

Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].

AU-12(4)Audit and AccountabilityAudit Record Generation | Query Parameter Audits of Personally Identifiable Information

Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information.

AU-13Audit and AccountabilityMonitoring for Information Disclosure
  1. Monitor [Assignment: organization-defined open-source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information; and
  2. If an information disclosure is discovered:
    1. Notify [Assignment: organization-defined personnel or roles]; and
    2. Take the following additional actions: [Assignment: organization-defined additional actions].
AU-13(1)Audit and AccountabilityMonitoring for Information Disclosure | Use of Automated Tools

Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms].

AU-13(2)Audit and AccountabilityMonitoring for Information Disclosure | Review of Monitored Sites

Review the list of open-source information sites being monitored [Assignment: organization-defined frequency].

AU-13(3)Audit and AccountabilityMonitoring for Information Disclosure | Unauthorized Replication of Information

Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner.

AU-14Audit and AccountabilitySession Audit
  1. Provide and implement the capability for [Assignment: organization-defined users or roles] to [Selection (one or more): record; view; hear; log] the content of a user session under [Assignment: organization-defined circumstances]; and
  2. Develop, integrate, and use session auditing activities in consultation with legal counsel and in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
AU-14(1)Audit and AccountabilitySession Audit | System Start-up

Initiate session audits automatically at system start-up.

AU-14(3)Audit and AccountabilitySession Audit | Remote Viewing and Listening

Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time.

AU-16Audit and AccountabilityCross-organizational Audit Logging

Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

AU-16(1)Audit and AccountabilityCross-organizational Audit Logging | Identity Preservation

Preserve the identity of individuals in cross-organizational audit trails.

AU-16(2)Audit and AccountabilityCross-organizational Audit Logging | Sharing of Audit Information

Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].

AU-16(3)Audit and AccountabilityCross-organizational Audit Logging | Disassociability

Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries.

CA-1Assessment, Authorization, and MonitoringPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] assessment, authorization, and monitoring policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the assessment, authorization, and monitoring policy and the associated assessment, authorization, and monitoring controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the assessment, authorization, and monitoring policy and procedures; and
  3. Review and update the current assessment, authorization, and monitoring:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CA-2Assessment, Authorization, and MonitoringControl Assessments
  1. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
  2. Develop a control assessment plan that describes the scope of the assessment including:
    1. Controls and control enhancements under assessment;
    2. Assessment procedures to be used to determine control effectiveness; and
    3. Assessment environment, assessment team, and assessment roles and responsibilities;
  3. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
  4. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
  5. Produce a control assessment report that document the results of the assessment; and
  6. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles].
CA-2(1)Assessment, Authorization, and MonitoringControl Assessments | Independent Assessors

Employ independent assessors or assessment teams to conduct control assessments.

CA-2(2)Assessment, Authorization, and MonitoringControl Assessments | Specialized Assessments

Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]].

CA-2(3)Assessment, Authorization, and MonitoringControl Assessments | Leveraging Results from External Organizations

Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements].

CA-3Assessment, Authorization, and MonitoringInformation Exchange
  1. Approve and manage the exchange of information between the system and other systems using [Selection (one or more): interconnection security agreements; information exchange security agreements; memoranda of understanding or agreement; service level agreements; user agreements; nondisclosure agreements; [Assignment: organization-defined type of agreement]];
  2. Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
  3. Review and update the agreements [Assignment: organization-defined frequency].
CA-3(6)Assessment, Authorization, and MonitoringInformation Exchange | Transfer Authorizations

Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data.

CA-3(7)Assessment, Authorization, and MonitoringInformation Exchange | Transitive Information Exchanges
  1. Identify transitive (downstream) information exchanges with other systems through the systems identified in CA-3a; and
  2. Take measures to ensure that transitive (downstream) information exchanges cease when the controls on identified transitive (downstream) systems cannot be verified or validated.
CA-5Assessment, Authorization, and MonitoringPlan of Action and Milestones
  1. Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
  2. Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.
CA-5(1)Assessment, Authorization, and MonitoringPlan of Action and Milestones | Automation Support for Accuracy and Currency

Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms].

CA-6Assessment, Authorization, and MonitoringAuthorization
  1. Assign a senior official as the authorizing official for the system;
  2. Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
  3. Ensure that the authorizing official for the system, before commencing operations:
    1. Accepts the use of common controls inherited by the system; and
    2. Authorizes the system to operate;
  4. Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
  5. Update the authorizations [Assignment: organization-defined frequency].
CA-6(1)Assessment, Authorization, and MonitoringAuthorization | Joint Authorization — Intra-organization

Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization.

CA-6(2)Assessment, Authorization, and MonitoringAuthorization | Joint Authorization — Inter-organization

Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization.

CA-7Assessment, Authorization, and MonitoringContinuous Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

  1. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
  2. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
  3. Ongoing control assessments in accordance with the continuous monitoring strategy;
  4. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
  5. Correlation and analysis of information generated by control assessments and monitoring;
  6. Response actions to address results of the analysis of control assessment and monitoring information; and
  7. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
CA-7(1)Assessment, Authorization, and MonitoringContinuous Monitoring | Independent Assessment

Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis.

CA-7(3)Assessment, Authorization, and MonitoringContinuous Monitoring | Trend Analyses

Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data.

CA-7(4)Assessment, Authorization, and MonitoringContinuous Monitoring | Risk Monitoring

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

  1. Effectiveness monitoring;
  2. Compliance monitoring; and
  3. Change monitoring.
CA-7(5)Assessment, Authorization, and MonitoringContinuous Monitoring | Consistency Analysis

Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions].

CA-7(6)Assessment, Authorization, and MonitoringContinuous Monitoring | Automation Support for Monitoring

Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms].

CA-8Assessment, Authorization, and MonitoringPenetration Testing

Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].

CA-8(1)Assessment, Authorization, and MonitoringPenetration Testing | Independent Penetration Testing Agent or Team

Employ an independent penetration testing agent or team to perform penetration testing on the system or system components.

CA-8(2)Assessment, Authorization, and MonitoringPenetration Testing | Red Team Exercises

Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises].

CA-8(3)Assessment, Authorization, and MonitoringPenetration Testing | Facility Penetration Testing

Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility.

CA-9Assessment, Authorization, and MonitoringInternal System Connections
  1. Authorize internal connections of [Assignment: organization-defined system components or classes of components] to the system;
  2. Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
  3. Terminate internal system connections after [Assignment: organization-defined conditions]; and
  4. Review [Assignment: organization-defined frequency] the continued need for each internal connection.
CA-9(1)Assessment, Authorization, and MonitoringInternal System Connections | Compliance Checks

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

CM-1Configuration ManagementPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] configuration management policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
  3. Review and update the current configuration management:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CM-2Configuration ManagementBaseline Configuration
  1. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
  2. Review and update the baseline configuration of the system:
    1. [Assignment: organization-defined frequency];
    2. When required due to [Assignment: organization-defined circumstances]; and
    3. When system components are installed or upgraded.
CM-2(2)Configuration ManagementBaseline Configuration | Automation Support for Accuracy and Currency

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].

CM-2(3)Configuration ManagementBaseline Configuration | Retention of Previous Configurations

Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.

CM-2(6)Configuration ManagementBaseline Configuration | Development and Test Environments

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

CM-2(7)Configuration ManagementBaseline Configuration | Configure Systems and Components for High-risk Areas
  1. Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
  2. Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].
CM-3Configuration ManagementConfiguration Change Control
  1. Determine and document the types of changes to the system that are configuration-controlled;
  2. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
  3. Document configuration change decisions associated with the system;
  4. Implement approved configuration-controlled changes to the system;
  5. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
  6. Monitor and review activities associated with configuration-controlled changes to the system; and
  7. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].
CM-3(1)Configuration ManagementConfiguration Change Control | Automated Documentation, Notification, and Prohibition of Changes

Use [Assignment: organization-defined automated mechanisms] to:

  1. Document proposed changes to the system;
  2. Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;
  3. Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];
  4. Prohibit changes to the system until designated approvals are received;
  5. Document all changes to the system; and
  6. Notify [Assignment: organization-defined personnel] when approved changes to the system are completed.
CM-3(2)Configuration ManagementConfiguration Change Control | Testing, Validation, and Documentation of Changes

Test, validate, and document changes to the system before finalizing the implementation of the changes.

CM-3(3)Configuration ManagementConfiguration Change Control | Automated Change Implementation

Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].

CM-3(4)Configuration ManagementConfiguration Change Control | Security and Privacy Representatives

Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].

CM-3(5)Configuration ManagementConfiguration Change Control | Automated Security Response

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses].

CM-3(6)Configuration ManagementConfiguration Change Control | Cryptography Management

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls].

CM-3(7)Configuration ManagementConfiguration Change Control | Review System Changes

Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

CM-3(8)Configuration ManagementConfiguration Change Control | Prevent or Restrict Configuration Changes

Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances].

CM-4Configuration ManagementImpact Analyses

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

CM-4(1)Configuration ManagementImpact Analyses | Separate Test Environments

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CM-4(2)Configuration ManagementImpact Analyses | Verification of Controls

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

CM-5Configuration ManagementAccess Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

CM-5(1)Configuration ManagementAccess Restrictions for Change | Automated Access Enforcement and Audit Records
  1. Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and
  2. Automatically generate audit records of the enforcement actions.
CM-5(4)Configuration ManagementAccess Restrictions for Change | Dual Authorization

Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information].

CM-5(5)Configuration ManagementAccess Restrictions for Change | Privilege Limitation for Production and Operation
  1. Limit privileges to change system components and system-related information within a production or operational environment; and
  2. Review and reevaluate privileges [Assignment: organization-defined frequency].
CM-5(6)Configuration ManagementAccess Restrictions for Change | Limit Library Privileges

Limit privileges to change software resident within software libraries.

CM-6Configuration ManagementConfiguration Settings
  1. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
  2. Implement the configuration settings;
  3. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
  4. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
CM-6(1)Configuration ManagementConfiguration Settings | Automated Management, Application, and Verification

Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].

CM-6(2)Configuration ManagementConfiguration Settings | Respond to Unauthorized Changes

Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions].

CM-7Configuration ManagementLeast Functionality
  1. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and
  2. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
CM-7(1)Configuration ManagementLeast Functionality | Periodic Review
  1. Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
  2. Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].
CM-7(2)Configuration ManagementLeast Functionality | Prevent Program Execution

Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].

CM-7(3)Configuration ManagementLeast Functionality | Registration Compliance

Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].

CM-7(4)Configuration ManagementLeast Functionality | Unauthorized Software — Deny-by-exception
  1. Identify [Assignment: organization-defined software programs not authorized to execute on the system];
  2. Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
  3. Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].
CM-7(5)Configuration ManagementLeast Functionality | Authorized Software — Allow-by-exception
  1. Identify [Assignment: organization-defined software programs authorized to execute on the system];
  2. Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
  3. Review and update the list of authorized software programs [Assignment: organization-defined frequency].
CM-7(6)Configuration ManagementLeast Functionality | Confined Environments with Limited Privileges

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software].

CM-7(7)Configuration ManagementLeast Functionality | Code Execution in Protected Environments

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:

  1. Obtained from sources with limited or no warranty; and/or
  2. Without the provision of source code.
CM-7(8)Configuration ManagementLeast Functionality | Binary or Machine Executable Code
  1. Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and
  2. Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.
CM-7(9)Configuration ManagementLeast Functionality | Prohibiting The Use of Unauthorized Hardware
  1. Identify [Assignment: organization-defined hardware components authorized for system use];
  2. Prohibit the use or connection of unauthorized hardware components;
  3. Review and update the list of authorized hardware components [Assignment: organization-defined frequency].
CM-8Configuration ManagementSystem Component Inventory
  1. Develop and document an inventory of system components that:
    1. Accurately reflects the system;
    2. Includes all components within the system;
    3. Does not include duplicate accounting of components or components assigned to any other system;
    4. Is at the level of granularity deemed necessary for tracking and reporting; and
    5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; and
  2. Review and update the system component inventory [Assignment: organization-defined frequency].
CM-8(1)Configuration ManagementSystem Component Inventory | Updates During Installation and Removal

Update the inventory of system components as part of component installations, removals, and system updates.

CM-8(2)Configuration ManagementSystem Component Inventory | Automated Maintenance

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].

CM-8(3)Configuration ManagementSystem Component Inventory | Automated Unauthorized Component Detection
  1. Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
  2. Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]].
CM-8(4)Configuration ManagementSystem Component Inventory | Accountability Information

Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components.

CM-8(6)Configuration ManagementSystem Component Inventory | Assessed Configurations and Approved Deviations

Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

CM-8(7)Configuration ManagementSystem Component Inventory | Centralized Repository

Provide a centralized repository for the inventory of system components.

CM-8(8)Configuration ManagementSystem Component Inventory | Automated Location Tracking

Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms].

CM-8(9)Configuration ManagementSystem Component Inventory | Assignment of Components to Systems
  1. Assign system components to a system; and
  2. Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment.
CM-9Configuration ManagementConfiguration Management Plan

Develop, document, and implement a configuration management plan for the system that:

  1. Addresses roles, responsibilities, and configuration management processes and procedures;
  2. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
  3. Defines the configuration items for the system and places the configuration items under configuration management;
  4. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
  5. Protects the configuration management plan from unauthorized disclosure and modification.
CM-9(1)Configuration ManagementConfiguration Management Plan | Assignment of Responsibility

Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

CM-10Configuration ManagementSoftware Usage Restrictions
  1. Use software and associated documentation in accordance with contract agreements and copyright laws;
  2. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
  3. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
CM-10(1)Configuration ManagementSoftware Usage Restrictions | Open-source Software

Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions].

CM-11Configuration ManagementUser-installed Software
  1. Establish [Assignment: organization-defined policies] governing the installation of software by users;
  2. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
  3. Monitor policy compliance [Assignment: organization-defined frequency].
CM-11(2)Configuration ManagementUser-installed Software | Software Installation with Privileged Status

Allow user installation of software only with explicit privileged status.

CM-11(3)Configuration ManagementUser-installed Software | Automated Enforcement and Monitoring

Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms].

CM-12Configuration ManagementInformation Location
  1. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
  2. Identify and document the users who have access to the system and system components where the information is processed and stored; and
  3. Document changes to the location (i.e., system or system components) where the information is processed and stored.
CM-12(1)Configuration ManagementInformation Location | Automated Tools to Support Information Location

Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.

CM-13Configuration ManagementData Action Mapping

Develop and document a map of system data actions.

CM-14Configuration ManagementSigned Components

Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

CP-1Contingency PlanningPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] contingency planning policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the contingency planning policy and the associated contingency planning controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the contingency planning policy and procedures; and
  3. Review and update the current contingency planning:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CP-2Contingency PlanningContingency Plan
  1. Develop a contingency plan for the system that:
    1. Identifies essential mission and business functions and associated contingency requirements;
    2. Provides recovery objectives, restoration priorities, and metrics;
    3. Addresses contingency roles, responsibilities, assigned individuals with contact information;
    4. Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure;
    5. Addresses eventual, full system restoration without deterioration of the controls originally planned and implemented;
    6. Addresses the sharing of contingency information; and
    7. Is reviewed and approved by [Assignment: organization-defined personnel or roles];
  2. Distribute copies of the contingency plan to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
  3. Coordinate contingency planning activities with incident handling activities;
  4. Review the contingency plan for the system [Assignment: organization-defined frequency];
  5. Update the contingency plan to address changes to the organization, system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing;
  6. Communicate contingency plan changes to [Assignment: organization-defined key contingency personnel (identified by name and/or by role) and organizational elements];
  7. Incorporate lessons learned from contingency plan testing, training, or actual contingency activities into contingency testing and training; and
  8. Protect the contingency plan from unauthorized disclosure and modification.
CP-2(1)Contingency PlanningContingency Plan | Coordinate with Related Plans

Coordinate contingency plan development with organizational elements responsible for related plans.

CP-2(2)Contingency PlanningContingency Plan | Capacity Planning

Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.

CP-2(3)Contingency PlanningContingency Plan | Resume Mission and Business Functions

Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation.

CP-2(5)Contingency PlanningContingency Plan | Continue Mission and Business Functions

Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites.

CP-2(6)Contingency PlanningContingency Plan | Alternate Processing and Storage Sites

Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites.

CP-2(7)Contingency PlanningContingency Plan | Coordinate with External Service Providers

Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied.

CP-2(8)Contingency PlanningContingency Plan | Identify Critical Assets

Identify critical system assets supporting [Selection: all; essential] mission and business functions.

CP-3Contingency PlanningContingency Training
  1. Provide contingency training to system users consistent with assigned roles and responsibilities:
    1. Within [Assignment: organization-defined time period] of assuming a contingency role or responsibility;
    2. When required by system changes; and
    3. [Assignment: organization-defined frequency] thereafter; and
  2. Review and update contingency training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
CP-3(1)Contingency PlanningContingency Training | Simulated Events

Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations.

CP-3(2)Contingency PlanningContingency Training | Mechanisms Used in Training Environments

Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment.

CP-4Contingency PlanningContingency Plan Testing
  1. Test the contingency plan for the system [Assignment: organization-defined frequency] using the following tests to determine the effectiveness of the plan and the readiness to execute the plan: [Assignment: organization-defined tests].
  2. Review the contingency plan test results; and
  3. Initiate corrective actions, if needed.
CP-4(1)Contingency PlanningContingency Plan Testing | Coordinate with Related Plans

Coordinate contingency plan testing with organizational elements responsible for related plans.

CP-4(2)Contingency PlanningContingency Plan Testing | Alternate Processing Site

Test the contingency plan at the alternate processing site:

  1. To familiarize contingency personnel with the facility and available resources; and
  2. To evaluate the capabilities of the alternate processing site to support contingency operations.
CP-4(3)Contingency PlanningContingency Plan Testing | Automated Testing

Test the contingency plan using [Assignment: organization-defined automated mechanisms].

CP-4(4)Contingency PlanningContingency Plan Testing | Full Recovery and Reconstitution

Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing.

CP-4(5)Contingency PlanningContingency Plan Testing | Self-challenge

Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component.

CP-6Contingency PlanningAlternate Storage Site
  1. Establish an alternate storage site, including necessary agreements to permit the storage and retrieval of system backup information; and
  2. Ensure that the alternate storage site provides controls equivalent to that of the primary site.
CP-6(1)Contingency PlanningAlternate Storage Site | Separation from Primary Site

Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats.

CP-6(2)Contingency PlanningAlternate Storage Site | Recovery Time and Recovery Point Objectives

Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives.

CP-6(3)Contingency PlanningAlternate Storage Site | Accessibility

Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions.

CP-7Contingency PlanningAlternate Processing Site
  1. Establish an alternate processing site, including necessary agreements to permit the transfer and resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] when the primary processing capabilities are unavailable;
  2. Make available at the alternate processing site, the equipment and supplies required to transfer and resume operations or put contracts in place to support delivery to the site within the organization-defined time period for transfer and resumption; and
  3. Provide controls at the alternate processing site that are equivalent to those at the primary site.
CP-7(1)Contingency PlanningAlternate Processing Site | Separation from Primary Site

Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats.

CP-7(2)Contingency PlanningAlternate Processing Site | Accessibility

Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP-7(3)Contingency PlanningAlternate Processing Site | Priority of Service

Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives).

CP-7(4)Contingency PlanningAlternate Processing Site | Preparation for Use

Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions.

CP-7(6)Contingency PlanningAlternate Processing Site | Inability to Return to Primary Site

Plan and prepare for circumstances that preclude returning to the primary processing site.

CP-8Contingency PlanningTelecommunications Services

Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.

CP-8(1)Contingency PlanningTelecommunications Services | Priority of Service Provisions
  1. Develop primary and alternate telecommunications service agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives); and
  2. Request Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness if the primary and/or alternate telecommunications services are provided by a common carrier.
CP-8(2)Contingency PlanningTelecommunications Services | Single Points of Failure

Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services.

CP-8(3)Contingency PlanningTelecommunications Services | Separation of Primary and Alternate Providers

Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats.

CP-8(4)Contingency PlanningTelecommunications Services | Provider Contingency Plan
  1. Require primary and alternate telecommunications service providers to have contingency plans;
  2. Review provider contingency plans to ensure that the plans meet organizational contingency requirements; and
  3. Obtain evidence of contingency testing and training by providers [Assignment: organization-defined frequency].
CP-8(5)Contingency PlanningTelecommunications Services | Alternate Telecommunication Service Testing

Test alternate telecommunication services [Assignment: organization-defined frequency].

CP-9Contingency PlanningSystem Backup
  1. Conduct backups of user-level information contained in [Assignment: organization-defined system components] [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
  2. Conduct backups of system-level information contained in the system [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives];
  3. Conduct backups of system documentation, including security- and privacy-related documentation [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
  4. Protect the confidentiality, integrity, and availability of backup information.
CP-9(1)Contingency PlanningSystem Backup | Testing for Reliability and Integrity

Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity.

CP-9(2)Contingency PlanningSystem Backup | Test Restoration Using Sampling

Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing.

CP-9(3)Contingency PlanningSystem Backup | Separate Storage for Critical Information

Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system.

CP-9(5)Contingency PlanningSystem Backup | Transfer to Alternate Storage Site

Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives].

CP-9(6)Contingency PlanningSystem Backup | Redundant Secondary System

Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations.

CP-9(7)Contingency PlanningSystem Backup | Dual Authorization for Deletion or Destruction

Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information].

CP-9(8)Contingency PlanningSystem Backup | Cryptographic Protection

Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information].

CP-10Contingency PlanningSystem Recovery and Reconstitution

Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure.

CP-10(2)Contingency PlanningSystem Recovery and Reconstitution | Transaction Recovery

Implement transaction recovery for systems that are transaction-based.

CP-10(4)Contingency PlanningSystem Recovery and Reconstitution | Restore Within Time Period

Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components.

CP-10(6)Contingency PlanningSystem Recovery and Reconstitution | Component Protection

Protect system components used for recovery and reconstitution.

CP-11Contingency PlanningAlternate Communications Protocols

Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations.

CP-12Contingency PlanningSafe Mode

When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation].

CP-13Contingency PlanningAlternative Security Mechanisms

Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised.

IA-1Identification and AuthenticationPolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] identification and authentication policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and
  3. Review and update the current identification and authentication:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
IA-2Identification and AuthenticationIdentification and Authentication (organizational Users)

Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.

IA-2(1)Identification and AuthenticationIdentification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts

Implement multi-factor authentication for access to privileged accounts.

IA-2(2)Identification and AuthenticationIdentification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts

Implement multi-factor authentication for access to non-privileged accounts.

IA-2(5)Identification and AuthenticationIdentification and Authentication (organizational Users) | Individual Authentication with Group Authentication

When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources.

IA-2(6)Identification and AuthenticationIdentification and Authentication (organizational Users) | Access to Accounts —separate Device

Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that:

  1. One of the factors is provided by a device separate from the system gaining access; and
  2. The device meets [Assignment: organization-defined strength of mechanism requirements].
IA-2(8)Identification and AuthenticationIdentification and Authentication (organizational Users) | Access to Accounts — Replay Resistant

Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts].

IA-2(10)Identification and AuthenticationIdentification and Authentication (organizational Users) | Single Sign-on

Provide a single sign-on capability for [Assignment: organization-defined system accounts and services].

IA-2(12)Identification and AuthenticationIdentification and Authentication (organizational Users) | Acceptance of PIV Credentials

Accept and electronically verify Personal Identity Verification-compliant credentials.

IA-2(13)Identification and AuthenticationIdentification and Authentication (organizational Users) | Out-of-band Authentication

Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication].

IA-3Identification and AuthenticationDevice Identification and Authentication

Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.

IA-3(1)Identification and AuthenticationDevice Identification and Authentication | Cryptographic Bidirectional Authentication

Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based.

IA-3(3)Identification and AuthenticationDevice Identification and Authentication | Dynamic Address Allocation
  1. Where addresses are allocated dynamically, standardize dynamic address allocation lease information and the lease duration assigned to devices in accordance with [Assignment: organization-defined lease information and lease duration]; and
  2. Audit lease information when assigned to a device.
IA-3(4)Identification and AuthenticationDevice Identification and Authentication | Device Attestation

Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process].

IA-4Identification and AuthenticationIdentifier Management

Manage system identifiers by:

  1. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, service, or device identifier;
  2. Selecting an identifier that identifies an individual, group, role, service, or device;
  3. Assigning the identifier to the intended individual, group, role, service, or device; and
  4. Preventing reuse of identifiers for [Assignment: organization-defined time period].
IA-4(1)Identification and AuthenticationIdentifier Management | Prohibit Account Identifiers as Public Identifiers

Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts.

IA-4(4)Identification and AuthenticationIdentifier Management | Identify User Status

Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status].

IA-4(5)Identification and AuthenticationIdentifier Management | Dynamic Management

Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy].

IA-4(6)Identification and AuthenticationIdentifier Management | Cross-organization Management

Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations].

IA-4(8)Identification and AuthenticationIdentifier Management | Pairwise Pseudonymous Identifiers

Generate pairwise pseudonymous identifiers.

IA-4(9)Identification and AuthenticationIdentifier Management | Attribute Maintenance and Protection

Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage].

IA-5Identification and AuthenticationAuthenticator Management

Manage system authenticators by:

  1. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator;
  2. Establishing initial authenticator content for any authenticators issued by the organization;
  3. Ensuring that authenticators have sufficient strength of mechanism for their intended use;
  4. Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators;
  5. Changing default authenticators prior to first use;
  6. Changing or refreshing authenticators [Assignment: organization-defined time period by authenticator type] or when [Assignment: organization-defined events] occur;
  7. Protecting authenticator content from unauthorized disclosure and modification;
  8. Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and
  9. Changing authenticators for group or role accounts when membership to those accounts changes.
IA-5(1)Identification and AuthenticationAuthenticator Management | Password-based Authentication

For password-based authentication:

  1. Maintain a list of commonly-used, expected, or compromised passwords and update the list [Assignment: organization-defined frequency] and when organizational passwords are suspected to have been compromised directly or indirectly;
  2. Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);
  3. Transmit passwords only over cryptographically-protected channels;
  4. Store passwords using an approved salted key derivation function, preferably using a keyed hash;
  5. Require immediate selection of a new password upon account recovery;
  6. Allow user selection of long passwords and passphrases, including spaces and all printable characters;
  7. Employ automated tools to assist the user in selecting strong password authenticators; and
  8. Enforce the following composition and complexity rules: [Assignment: organization-defined composition and complexity rules].
IA-5(2)Identification and AuthenticationAuthenticator Management | Public Key-based Authentication
  1. For public key-based authentication:
    1. Enforce authorized access to the corresponding private key; and
    2. Map the authenticated identity to the account of the individual or group; and
  2. When public key infrastructure (PKI) is used:
    1. Validate certificates by constructing and verifying a certification path to an accepted trust anchor, including checking certificate status information; and
    2. Implement a local cache of revocation data to support path discovery and validation.
IA-5(5)Identification and AuthenticationAuthenticator Management | Change Authenticators Prior to Delivery

Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation.

IA-5(6)Identification and AuthenticationAuthenticator Management | Protection of Authenticators

Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access.

IA-5(7)Identification and AuthenticationAuthenticator Management | No Embedded Unencrypted Static Authenticators

Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage.

IA-5(8)Identification and AuthenticationAuthenticator Management | Multiple System Accounts

Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems.

IA-5(9)Identification and AuthenticationAuthenticator Management | Federated Credential Management

Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations].

IA-5(10)Identification and AuthenticationAuthenticator Management | Dynamic Credential Binding

Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules].

IA-5(12)Identification and AuthenticationAuthenticator Management | Biometric Authentication Performance

For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements].

IA-5(13)Identification and AuthenticationAuthenticator Management | Expiration of Cached Authenticators

Prohibit the use of cached authenticators after [Assignment: organization-defined time period].

IA-5(14)Identification and AuthenticationAuthenticator Management | Managing Content of PKI Trust Stores

For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications.

IA-5(15)Identification and AuthenticationAuthenticator Management | GSA-approved Products and Services

Use only General Services Administration-approved products and services for identity, credential, and access management.

IA-5(16)Identification and AuthenticationAuthenticator Management | In-person or Trusted External Party Authenticator Issuance

Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles].

IA-5(17)Identification and AuthenticationAuthenticator Management | Presentation Attack Detection for Biometric Authenticators

Employ presentation attack detection mechanisms for biometric-based authentication.

IA-5(18)Identification and AuthenticationAuthenticator Management | Password Managers
  1. Employ [Assignment: organization-defined password managers] to generate and manage passwords; and
  2. Protect the passwords using [Assignment: organization-defined controls].
IA-6Identification and AuthenticationAuthentication Feedback

Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals.

IA-7Identification and AuthenticationCryptographic Module Authentication

Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.

IA-8Identification and AuthenticationIdentification and Authentication (non-organizational Users)

Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users.

IA-8(1)Identification and AuthenticationIdentification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies

Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies.

IA-8(2)Identification and AuthenticationIdentification and Authentication (non-organizational Users) | Acceptance of External Authenticators
  1. Accept only external authenticators that are NIST-compliant; and
  2. Document and maintain a list of accepted external authenticators.
IA-8(4)Identification and AuthenticationIdentification and Authentication (non-organizational Users) | Use of Defined Profiles

Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles].

IA-8(5)Identification and AuthenticationIdentification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials

Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy].

IA-8(6)Identification and AuthenticationIdentification and Authentication (non-organizational Users) | Disassociability

Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures].

IA-9Identification and AuthenticationService Identification and Authentication

Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications.

IA-10Identification and AuthenticationAdaptive Authentication

Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations].

IA-11Identification and AuthenticationRe-authentication

Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication].

IA-12Identification and AuthenticationIdentity Proofing
  1. Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines;
  2. Resolve user identities to a unique individual; and
  3. Collect, validate, and verify identity evidence.
IA-12(1)Identification and AuthenticationIdentity Proofing | Supervisor Authorization

Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization.

IA-12(2)Identification and AuthenticationIdentity Proofing | Identity Evidence

Require evidence of individual identification be presented to the registration authority.

IA-12(3)Identification and AuthenticationIdentity Proofing | Identity Evidence Validation and Verification

Require that the presented identity evidence be validated and verified through [Assignment: organizational defined methods of validation and verification].

IA-12(4)Identification and AuthenticationIdentity Proofing | In-person Validation and Verification

Require that the validation and verification of identity evidence be conducted in person before a designated registration authority.

IA-12(5)Identification and AuthenticationIdentity Proofing | Address Confirmation

Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record.

IA-12(6)Identification and AuthenticationIdentity Proofing | Accept Externally-proofed Identities

Accept externally-proofed identities at [Assignment: organization-defined identity assurance level].

IR-1Incident ResponsePolicy and Procedures
  1. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
    1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] incident response policy that:
      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
    2. Procedures to facilitate the implementation of the incident response policy and the associated incident response controls;
  2. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the incident response policy and procedures; and
  3. Review and update the current incident response:
    1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
    2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
IR-2Incident ResponseIncident Response Training
  1. Provide incident response training to system users consistent with assigned roles and responsibilities:
    1. Within [Assignment: organization-defined time period] of assuming an incident response role or responsibility or acquiring system access;
    2. When required by system changes; and
    3. [Assignment: organization-defined frequency] thereafter; and
  2. Review and update incident response training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
IR-2(1)Incident ResponseIncident Response Training | Simulated Events

Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations.

IR-2(2)Incident ResponseIncident Response Training | Automated Training Environments

Provide an incident response training environment using [Assignment: organization-defined automated mechanisms].

IR-2(3)Incident ResponseIncident Response Training | Breach

Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach.

IR-3Incident ResponseIncident Response Testing

Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests].

IR-3(1)Incident ResponseIncident Response Testing | Automated Testing

Test the incident response capability using [Assignment: organization-defined automated mechanisms].

IR-3(2)Incident ResponseIncident Response Testing | Coordination with Related Plans

Coordinate incident response testing with organizational elements responsible for related plans.

IR-3(3)Incident ResponseIncident Response Testing | Continuous Improvement

Use qualitative and quantitative data from testing to:

  1. Determine the effectiveness of incident response processes;
  2. Continuously improve incident response processes; and
  3. Provide incident response measures and metrics that are accurate, consistent, and in a reproducible format.
IR-4Incident ResponseIncident Handling
  1. Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery;
  2. Coordinate incident handling activities with contingency planning activities;
  3. Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and
  4. Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
IR-4(1)Incident ResponseIncident Handling | Automated Incident Handling Processes

Support the incident handling process using [Assignment: organization-defined automated mechanisms].

IR-4(2)Incident ResponseIncident Handling | Dynamic Reconfiguration

Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration].

IR-4(3)Incident ResponseIncident Handling | Continuity of Operations

Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents].

Showing
results