Search
Family
NIST 800-53B Control Baseline
ID | Family | Title | Requirement |
---|---|---|---|
AC-1 | Access Control | Policy and Procedures |
|
AC-2 | Access Control | Account Management |
|
AC-2(1) | Access Control | Account Management | Automated System Account Management | Support the management of system accounts using [Assignment: organization-defined automated mechanisms]. |
AC-2(2) | Access Control | Account Management | Automated Temporary and Emergency Account Management | Automatically [Selection: remove; disable] temporary and emergency accounts after [Assignment: organization-defined time period for each type of account]. |
AC-2(3) | Access Control | Account Management | Disable Accounts | Disable accounts within [Assignment: organization-defined time period] when the accounts:
|
AC-2(4) | Access Control | Account Management | Automated Audit Actions | Automatically audit account creation, modification, enabling, disabling, and removal actions. |
AC-2(5) | Access Control | Account Management | Inactivity Logout | Require that users log out when [Assignment: organization-defined time period of expected inactivity or description of when to log out]. |
AC-2(6) | Access Control | Account Management | Dynamic Privilege Management | Implement [Assignment: organization-defined dynamic privilege management capabilities]. |
AC-2(7) | Access Control | Account Management | Privileged User Accounts |
|
AC-2(8) | Access Control | Account Management | Dynamic Account Management | Create, activate, manage, and deactivate [Assignment: organization-defined system accounts] dynamically. |
AC-2(9) | Access Control | Account Management | Restrictions on Use of Shared and Group Accounts | Only permit the use of shared and group accounts that meet [Assignment: organization-defined conditions for establishing shared and group accounts]. |
AC-2(11) | Access Control | Account Management | Usage Conditions | Enforce [Assignment: organization-defined circumstances and/or usage conditions] for [Assignment: organization-defined system accounts]. |
AC-2(12) | Access Control | Account Management | Account Monitoring for Atypical Usage |
|
AC-2(13) | Access Control | Account Management | Disable Accounts for High-risk Individuals | Disable accounts of individuals within [Assignment: organization-defined time period] of discovery of [Assignment: organization-defined significant risks]. |
AC-3 | Access Control | Access Enforcement | Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
AC-3(2) | Access Control | Access Enforcement | Dual Authorization | Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions]. |
AC-3(3) | Access Control | Access Enforcement | Mandatory Access Control | Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy:
|
AC-3(4) | Access Control | Access Enforcement | Discretionary Access Control | Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following:
|
AC-3(5) | Access Control | Access Enforcement | Security-relevant Information | Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states. |
AC-3(7) | Access Control | Access Enforcement | Role-based Access Control | Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles]. |
AC-3(8) | Access Control | Access Enforcement | Revocation of Access Authorizations | Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations]. |
AC-3(9) | Access Control | Access Enforcement | Controlled Release | Release information outside of the system only if:
|
AC-3(10) | Access Control | Access Enforcement | Audited Override of Access Control Mechanisms | Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles]. |
AC-3(11) | Access Control | Access Enforcement | Restrict Access to Specific Information Types | Restrict access to data repositories containing [Assignment: organization-defined information types]. |
AC-3(12) | Access Control | Access Enforcement | Assert and Enforce Application Access |
|
AC-3(13) | Access Control | Access Enforcement | Attribute-based Access Control | Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions]. |
AC-3(14) | Access Control | Access Enforcement | Individual Access | Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements]. |
AC-3(15) | Access Control | Access Enforcement | Discretionary and Mandatory Access Control |
|
AC-4 | Access Control | Information Flow Enforcement | Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on [Assignment: organization-defined information flow control policies]. |
AC-4(1) | Access Control | Information Flow Enforcement | Object Security and Privacy Attributes | Use [Assignment: organization-defined security and privacy attributes] associated with [Assignment: organization-defined information, source, and destination objects] to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
AC-4(2) | Access Control | Information Flow Enforcement | Processing Domains | Use protected processing domains to enforce [Assignment: organization-defined information flow control policies] as a basis for flow control decisions. |
AC-4(3) | Access Control | Information Flow Enforcement | Dynamic Information Flow Control | Enforce [Assignment: organization-defined information flow control policies]. |
AC-4(4) | Access Control | Information Flow Enforcement | Flow Control of Encrypted Information | Prevent encrypted information from bypassing [Assignment: organization-defined information flow control mechanisms] by [Selection (one or more): decrypting the information; blocking the flow of the encrypted information; terminating communications sessions attempting to pass encrypted information; [Assignment: organization-defined procedure or method]]. |
AC-4(5) | Access Control | Information Flow Enforcement | Embedded Data Types | Enforce [Assignment: organization-defined limitations] on embedding data types within other data types. |
AC-4(6) | Access Control | Information Flow Enforcement | Metadata | Enforce information flow control based on [Assignment: organization-defined metadata]. |
AC-4(7) | Access Control | Information Flow Enforcement | One-way Flow Mechanisms | Enforce one-way information flows through hardware-based flow control mechanisms. |
AC-4(8) | Access Control | Information Flow Enforcement | Security and Privacy Policy Filters |
|
AC-4(9) | Access Control | Information Flow Enforcement | Human Reviews | Enforce the use of human reviews for [Assignment: organization-defined information flows] under the following conditions: [Assignment: organization-defined conditions]. |
AC-4(10) | Access Control | Information Flow Enforcement | Enable and Disable Security or Privacy Policy Filters | Provide the capability for privileged administrators to enable and disable [Assignment: organization-defined security or privacy policy filters] under the following conditions: [Assignment: organization-defined conditions]. |
AC-4(11) | Access Control | Information Flow Enforcement | Configuration of Security or Privacy Policy Filters | Provide the capability for privileged administrators to configure [Assignment: organization-defined security or privacy policy filters] to support different security or privacy policies. |
AC-4(12) | Access Control | Information Flow Enforcement | Data Type Identifiers | When transferring information between different security domains, use [Assignment: organization-defined data type identifiers] to validate data essential for information flow decisions. |
AC-4(13) | Access Control | Information Flow Enforcement | Decomposition into Policy-relevant Subcomponents | When transferring information between different security domains, decompose information into [Assignment: organization-defined policy-relevant subcomponents] for submission to policy enforcement mechanisms. |
AC-4(14) | Access Control | Information Flow Enforcement | Security or Privacy Policy Filter Constraints | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] requiring fully enumerated formats that restrict data structure and content. |
AC-4(15) | Access Control | Information Flow Enforcement | Detection of Unsanctioned Information | When transferring information between different security domains, examine the information for the presence of [Assignment: organization-defined unsanctioned information] and prohibit the transfer of such information in accordance with the [Assignment: organization-defined security or privacy policy]. |
AC-4(17) | Access Control | Information Flow Enforcement | Domain Authentication | Uniquely identify and authenticate source and destination points by [Selection (one or more): organization; system; application; service; individual] for information transfer. |
AC-4(19) | Access Control | Information Flow Enforcement | Validation of Metadata | When transferring information between different security domains, implement [Assignment: organization-defined security or privacy policy filters] on metadata. |
AC-4(20) | Access Control | Information Flow Enforcement | Approved Solutions | Employ [Assignment: organization-defined solutions in approved configurations] to control the flow of [Assignment: organization-defined information] across security domains. |
AC-4(21) | Access Control | Information Flow Enforcement | Physical or Logical Separation of Information Flows | Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information]. |
AC-4(22) | Access Control | Information Flow Enforcement | Access Only | Provide access from a single device to computing platforms, applications, or data residing in multiple different security domains, while preventing information flow between the different security domains. |
AC-4(23) | Access Control | Information Flow Enforcement | Modify Non-releasable Information | When transferring information between different security domains, modify non-releasable information by implementing [Assignment: organization-defined modification action]. |
AC-4(24) | Access Control | Information Flow Enforcement | Internal Normalized Format | When transferring information between different security domains, parse incoming data into an internal normalized format and regenerate the data to be consistent with its intended specification. |
AC-4(25) | Access Control | Information Flow Enforcement | Data Sanitization | When transferring information between different security domains, sanitize data to minimize [Selection (one or more): delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information] in accordance with [Assignment: organization-defined policy]]. |
AC-4(26) | Access Control | Information Flow Enforcement | Audit Filtering Actions | When transferring information between different security domains, record and audit content filtering actions and results for the information being filtered. |
AC-4(27) | Access Control | Information Flow Enforcement | Redundant/independent Filtering Mechanisms | When transferring information between different security domains, implement content filtering solutions that provide redundant and independent filtering mechanisms for each data type. |
AC-4(28) | Access Control | Information Flow Enforcement | Linear Filter Pipelines | When transferring information between different security domains, implement a linear content filter pipeline that is enforced with discretionary and mandatory access controls. |
AC-4(29) | Access Control | Information Flow Enforcement | Filter Orchestration Engines | When transferring information between different security domains, employ content filter orchestration engines to ensure that:
|
AC-4(30) | Access Control | Information Flow Enforcement | Filter Mechanisms Using Multiple Processes | When transferring information between different security domains, implement content filtering mechanisms using multiple processes. |
AC-4(31) | Access Control | Information Flow Enforcement | Failed Content Transfer Prevention | When transferring information between different security domains, prevent the transfer of failed content to the receiving domain. |
AC-4(32) | Access Control | Information Flow Enforcement | Process Requirements for Information Transfer | When transferring information between different security domains, the process that transfers information between filter pipelines:
|
AC-5 | Access Control | Separation of Duties |
|
AC-6 | Access Control | Least Privilege | Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks. |
AC-6(1) | Access Control | Least Privilege | Authorize Access to Security Functions | Authorize access for [Assignment: organization-defined individuals or roles] to:
|
AC-6(2) | Access Control | Least Privilege | Non-privileged Access for Nonsecurity Functions | Require that users of system accounts (or roles) with access to [Assignment: organization-defined security functions or security-relevant information] use non-privileged accounts or roles, when accessing nonsecurity functions. |
AC-6(3) | Access Control | Least Privilege | Network Access to Privileged Commands | Authorize network access to [Assignment: organization-defined privileged commands] only for [Assignment: organization-defined compelling operational needs] and document the rationale for such access in the security plan for the system. |
AC-6(4) | Access Control | Least Privilege | Separate Processing Domains | Provide separate processing domains to enable finer-grained allocation of user privileges. |
AC-6(5) | Access Control | Least Privilege | Privileged Accounts | Restrict privileged accounts on the system to [Assignment: organization-defined personnel or roles]. |
AC-6(6) | Access Control | Least Privilege | Privileged Access by Non-organizational Users | Prohibit privileged access to the system by non-organizational users. |
AC-6(7) | Access Control | Least Privilege | Review of User Privileges |
|
AC-6(8) | Access Control | Least Privilege | Privilege Levels for Code Execution | Prevent the following software from executing at higher privilege levels than users executing the software: [Assignment: organization-defined software]. |
AC-6(9) | Access Control | Least Privilege | Log Use of Privileged Functions | Log the execution of privileged functions. |
AC-6(10) | Access Control | Least Privilege | Prohibit Non-privileged Users from Executing Privileged Functions | Prevent non-privileged users from executing privileged functions. |
AC-7 | Access Control | Unsuccessful Logon Attempts |
|
AC-7(2) | Access Control | Unsuccessful Logon Attempts | Purge or Wipe Mobile Device | Purge or wipe information from [Assignment: organization-defined mobile devices] based on [Assignment: organization-defined purging or wiping requirements and techniques] after [Assignment: organization-defined number] consecutive, unsuccessful device logon attempts. |
AC-7(3) | Access Control | Unsuccessful Logon Attempts | Biometric Attempt Limiting | Limit the number of unsuccessful biometric logon attempts to [Assignment: organization-defined number]. |
AC-7(4) | Access Control | Unsuccessful Logon Attempts | Use of Alternate Authentication Factor |
|
AC-8 | Access Control | System Use Notification |
|
AC-9 | Access Control | Previous Logon Notification | Notify the user, upon successful logon to the system, of the date and time of the last logon. |
AC-9(1) | Access Control | Previous Logon Notification | Unsuccessful Logons | Notify the user, upon successful logon, of the number of unsuccessful logon attempts since the last successful logon. |
AC-9(2) | Access Control | Previous Logon Notification | Successful and Unsuccessful Logons | Notify the user, upon successful logon, of the number of [Selection: successful logons; unsuccessful logon attempts; both] during [Assignment: organization-defined time period]. |
AC-9(3) | Access Control | Previous Logon Notification | Notification of Account Changes | Notify the user, upon successful logon, of changes to [Assignment: organization-defined security-related characteristics or parameters of the user’s account] during [Assignment: organization-defined time period]. |
AC-9(4) | Access Control | Previous Logon Notification | Additional Logon Information | Notify the user, upon successful logon, of the following additional information: [Assignment: organization-defined additional information]. |
AC-10 | Access Control | Concurrent Session Control | Limit the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number]. |
AC-11 | Access Control | Device Lock |
|
AC-11(1) | Access Control | Device Lock | Pattern-hiding Displays | Conceal, via the device lock, information previously visible on the display with a publicly viewable image. |
AC-12 | Access Control | Session Termination | Automatically terminate a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect]. |
AC-12(1) | Access Control | Session Termination | User-initiated Logouts | Provide a logout capability for user-initiated communications sessions whenever authentication is used to gain access to [Assignment: organization-defined information resources]. |
AC-12(2) | Access Control | Session Termination | Termination Message | Display an explicit logout message to users indicating the termination of authenticated communications sessions. |
AC-12(3) | Access Control | Session Termination | Timeout Warning Message | Display an explicit message to users indicating that the session will end in [Assignment: organization-defined time until end of session]. |
AC-14 | Access Control | Permitted Actions Without Identification or Authentication |
|
AC-16 | Access Control | Security and Privacy Attributes |
|
AC-16(1) | Access Control | Security and Privacy Attributes | Dynamic Attribute Association | Dynamically associate security and privacy attributes with [Assignment: organization-defined subjects and objects] in accordance with the following security and privacy policies as information is created and combined: [Assignment: organization-defined security and privacy policies]. |
AC-16(2) | Access Control | Security and Privacy Attributes | Attribute Value Changes by Authorized Individuals | Provide authorized individuals (or processes acting on behalf of individuals) the capability to define or change the value of associated security and privacy attributes. |
AC-16(3) | Access Control | Security and Privacy Attributes | Maintenance of Attribute Associations by System | Maintain the association and integrity of [Assignment: organization-defined security and privacy attributes] to [Assignment: organization-defined subjects and objects]. |
AC-16(4) | Access Control | Security and Privacy Attributes | Association of Attributes by Authorized Individuals | Provide the capability to associate [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] by authorized individuals (or processes acting on behalf of individuals). |
AC-16(5) | Access Control | Security and Privacy Attributes | Attribute Displays on Objects to Be Output | Display security and privacy attributes in human-readable form on each object that the system transmits to output devices to identify [Assignment: organization-defined special dissemination, handling, or distribution instructions] using [Assignment: organization-defined human-readable, standard naming conventions]. |
AC-16(6) | Access Control | Security and Privacy Attributes | Maintenance of Attribute Association | Require personnel to associate and maintain the association of [Assignment: organization-defined security and privacy attributes] with [Assignment: organization-defined subjects and objects] in accordance with [Assignment: organization-defined security and privacy policies]. |
AC-16(7) | Access Control | Security and Privacy Attributes | Consistent Attribute Interpretation | Provide a consistent interpretation of security and privacy attributes transmitted between distributed system components. |
AC-16(8) | Access Control | Security and Privacy Attributes | Association Techniques and Technologies | Implement [Assignment: organization-defined techniques and technologies] in associating security and privacy attributes to information. |
AC-16(9) | Access Control | Security and Privacy Attributes | Attribute Reassignment — Regrading Mechanisms | Change security and privacy attributes associated with information only via regrading mechanisms validated using [Assignment: organization-defined techniques or procedures]. |
AC-16(10) | Access Control | Security and Privacy Attributes | Attribute Configuration by Authorized Individuals | Provide authorized individuals the capability to define or change the type and value of security and privacy attributes available for association with subjects and objects. |
AC-17 | Access Control | Remote Access |
|
AC-17(1) | Access Control | Remote Access | Monitoring and Control | Employ automated mechanisms to monitor and control remote access methods. |
AC-17(2) | Access Control | Remote Access | Protection of Confidentiality and Integrity Using Encryption | Implement cryptographic mechanisms to protect the confidentiality and integrity of remote access sessions. |
AC-17(3) | Access Control | Remote Access | Managed Access Control Points | Route remote accesses through authorized and managed network access control points. |
AC-17(4) | Access Control | Remote Access | Privileged Commands and Access |
|
AC-17(6) | Access Control | Remote Access | Protection of Mechanism Information | Protect information about remote access mechanisms from unauthorized use and disclosure. |
AC-17(9) | Access Control | Remote Access | Disconnect or Disable Access | Provide the capability to disconnect or disable remote access to the system within [Assignment: organization-defined time period]. |
AC-17(10) | Access Control | Remote Access | Authenticate Remote Commands | Implement [Assignment: organization-defined mechanisms] to authenticate [Assignment: organization-defined remote commands]. |
AC-18 | Access Control | Wireless Access |
|
AC-18(1) | Access Control | Wireless Access | Authentication and Encryption | Protect wireless access to the system using authentication of [Selection (one or more): users; devices] and encryption. |
AC-18(3) | Access Control | Wireless Access | Disable Wireless Networking | Disable, when not intended for use, wireless networking capabilities embedded within system components prior to issuance and deployment. |
AC-18(4) | Access Control | Wireless Access | Restrict Configurations by Users | Identify and explicitly authorize users allowed to independently configure wireless networking capabilities. |
AC-18(5) | Access Control | Wireless Access | Antennas and Transmission Power Levels | Select radio antennas and calibrate transmission power levels to reduce the probability that signals from wireless access points can be received outside of organization-controlled boundaries. |
AC-19 | Access Control | Access Control for Mobile Devices |
|
AC-19(4) | Access Control | Access Control for Mobile Devices | Restrictions for Classified Information |
|
AC-19(5) | Access Control | Access Control for Mobile Devices | Full Device or Container-based Encryption | Employ [Selection: full-device encryption; container-based encryption] to protect the confidentiality and integrity of information on [Assignment: organization-defined mobile devices]. |
AC-20 | Access Control | Use of External Systems |
|
AC-20(1) | Access Control | Use of External Systems | Limits on Authorized Use | Permit authorized individuals to use an external system to access the system or to process, store, or transmit organization-controlled information only after:
|
AC-20(2) | Access Control | Use of External Systems | Portable Storage Devices — Restricted Use | Restrict the use of organization-controlled portable storage devices by authorized individuals on external systems using [Assignment: organization-defined restrictions]. |
AC-20(3) | Access Control | Use of External Systems | Non-organizationally Owned Systems — Restricted Use | Restrict the use of non-organizationally owned systems or system components to process, store, or transmit organizational information using [Assignment: organization-defined restrictions]. |
AC-20(4) | Access Control | Use of External Systems | Network Accessible Storage Devices — Prohibited Use | Prohibit the use of [Assignment: organization-defined network accessible storage devices] in external systems. |
AC-20(5) | Access Control | Use of External Systems | Portable Storage Devices — Prohibited Use | Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems. |
AC-21 | Access Control | Information Sharing |
|
AC-21(1) | Access Control | Information Sharing | Automated Decision Support | Employ [Assignment: organization-defined automated mechanisms] to enforce information-sharing decisions by authorized users based on access authorizations of sharing partners and access restrictions on information to be shared. |
AC-21(2) | Access Control | Information Sharing | Information Search and Retrieval | Implement information search and retrieval services that enforce [Assignment: organization-defined information sharing restrictions]. |
AC-22 | Access Control | Publicly Accessible Content |
|
AC-23 | Access Control | Data Mining Protection | Employ [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to detect and protect against unauthorized data mining. |
AC-24 | Access Control | Access Control Decisions | [Selection: Establish procedures; Implement mechanisms] to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement. |
AC-24(1) | Access Control | Access Control Decisions | Transmit Access Authorization Information | Transmit [Assignment: organization-defined access authorization information] using [Assignment: organization-defined controls] to [Assignment: organization-defined systems] that enforce access control decisions. |
AC-24(2) | Access Control | Access Control Decisions | No User or Process Identity | Enforce access control decisions based on [Assignment: organization-defined security or privacy attributes] that do not include the identity of the user or process acting on behalf of the user. |
AC-25 | Access Control | Reference Monitor | Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured. |
AT-1 | Awareness and Training | Policy and Procedures |
|
AT-2 | Awareness and Training | Literacy Training and Awareness |
|
AT-2(1) | Awareness and Training | Literacy Training and Awareness | Practical Exercises | Provide practical exercises in literacy training that simulate events and incidents. |
AT-2(2) | Awareness and Training | Literacy Training and Awareness | Insider Threat | Provide literacy training on recognizing and reporting potential indicators of insider threat. |
AT-2(3) | Awareness and Training | Literacy Training and Awareness | Social Engineering and Mining | Provide literacy training on recognizing and reporting potential and actual instances of social engineering and social mining. |
AT-2(4) | Awareness and Training | Literacy Training and Awareness | Suspicious Communications and Anomalous System Behavior | Provide literacy training on recognizing suspicious communications and anomalous behavior in organizational systems using [Assignment: organization-defined indicators of malicious code]. |
AT-2(5) | Awareness and Training | Literacy Training and Awareness | Advanced Persistent Threat | Provide literacy training on the advanced persistent threat. |
AT-2(6) | Awareness and Training | Literacy Training and Awareness | Cyber Threat Environment |
|
AT-3 | Awareness and Training | Role-based Training |
|
AT-3(1) | Awareness and Training | Role-based Training | Environmental Controls | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of environmental controls. |
AT-3(2) | Awareness and Training | Role-based Training | Physical Security Controls | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of physical security controls. |
AT-3(3) | Awareness and Training | Role-based Training | Practical Exercises | Provide practical exercises in security and privacy training that reinforce training objectives. |
AT-3(5) | Awareness and Training | Role-based Training | Processing Personally Identifiable Information | Provide [Assignment: organization-defined personnel or roles] with initial and [Assignment: organization-defined frequency] training in the employment and operation of personally identifiable information processing and transparency controls. |
AT-4 | Awareness and Training | Training Records |
|
AT-6 | Awareness and Training | Training Feedback | Provide feedback on organizational training results to the following personnel [Assignment: organization-defined frequency]: [Assignment: organization-defined personnel]. |
AU-1 | Audit and Accountability | Policy and Procedures |
|
AU-2 | Audit and Accountability | Event Logging |
|
AU-3 | Audit and Accountability | Content of Audit Records | Ensure that audit records contain information that establishes the following:
|
AU-3(1) | Audit and Accountability | Content of Audit Records | Additional Audit Information | Generate audit records containing the following additional information: [Assignment: organization-defined additional information]. |
AU-3(3) | Audit and Accountability | Content of Audit Records | Limit Personally Identifiable Information Elements | Limit personally identifiable information contained in audit records to the following elements identified in the privacy risk assessment: [Assignment: organization-defined elements]. |
AU-4 | Audit and Accountability | Audit Log Storage Capacity | Allocate audit log storage capacity to accommodate [Assignment: organization-defined audit log retention requirements]. |
AU-4(1) | Audit and Accountability | Audit Log Storage Capacity | Transfer to Alternate Storage | Transfer audit logs [Assignment: organization-defined frequency] to a different system, system component, or media other than the system or system component conducting the logging. |
AU-5 | Audit and Accountability | Response to Audit Logging Process Failures |
|
AU-5(1) | Audit and Accountability | Response to Audit Logging Process Failures | Storage Capacity Warning | Provide a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit log storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit log storage capacity. |
AU-5(2) | Audit and Accountability | Response to Audit Logging Process Failures | Real-time Alerts | Provide an alert within [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit logging failure events requiring real-time alerts]. |
AU-5(3) | Audit and Accountability | Response to Audit Logging Process Failures | Configurable Traffic Volume Thresholds | Enforce configurable network communications traffic volume thresholds reflecting limits on audit log storage capacity and [Selection: reject; delay] network traffic above those thresholds. |
AU-5(4) | Audit and Accountability | Response to Audit Logging Process Failures | Shutdown on Failure | Invoke a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission or business functionality available] in the event of [Assignment: organization-defined audit logging failures], unless an alternate audit logging capability exists. |
AU-5(5) | Audit and Accountability | Response to Audit Logging Process Failures | Alternate Audit Logging Capability | Provide an alternate audit logging capability in the event of a failure in primary audit logging capability that implements [Assignment: organization-defined alternate audit logging functionality]. |
AU-6 | Audit and Accountability | Audit Record Review, Analysis, and Reporting |
|
AU-6(1) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Automated Process Integration | Integrate audit record review, analysis, and reporting processes using [Assignment: organization-defined automated mechanisms]. |
AU-6(3) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Correlate Audit Record Repositories | Analyze and correlate audit records across different repositories to gain organization-wide situational awareness. |
AU-6(4) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Central Review and Analysis | Provide and implement the capability to centrally review and analyze audit records from multiple components within the system. |
AU-6(5) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Integrated Analysis of Audit Records | Integrate analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity. |
AU-6(6) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Correlation with Physical Monitoring | Correlate information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity. |
AU-6(7) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Permitted Actions | Specify the permitted actions for each [Selection (one or more): system process; role; user] associated with the review, analysis, and reporting of audit record information. |
AU-6(8) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Full Text Analysis of Privileged Commands | Perform a full text analysis of logged privileged commands in a physically distinct component or subsystem of the system, or other system that is dedicated to that analysis. |
AU-6(9) | Audit and Accountability | Audit Record Review, Analysis, and Reporting | Correlation with Information from Nontechnical Sources | Correlate information from nontechnical sources with audit record information to enhance organization-wide situational awareness. |
AU-7 | Audit and Accountability | Audit Record Reduction and Report Generation | Provide and implement an audit record reduction and report generation capability that:
|
AU-7(1) | Audit and Accountability | Audit Record Reduction and Report Generation | Automatic Processing | Provide and implement the capability to process, sort, and search audit records for events of interest based on the following content: [Assignment: organization-defined fields within audit records]. |
AU-8 | Audit and Accountability | Time Stamps |
|
AU-9 | Audit and Accountability | Protection of Audit Information |
|
AU-9(1) | Audit and Accountability | Protection of Audit Information | Hardware Write-once Media | Write audit trails to hardware-enforced, write-once media. |
AU-9(2) | Audit and Accountability | Protection of Audit Information | Store on Separate Physical Systems or Components | Store audit records [Assignment: organization-defined frequency] in a repository that is part of a physically different system or system component than the system or component being audited. |
AU-9(3) | Audit and Accountability | Protection of Audit Information | Cryptographic Protection | Implement cryptographic mechanisms to protect the integrity of audit information and audit tools. |
AU-9(4) | Audit and Accountability | Protection of Audit Information | Access by Subset of Privileged Users | Authorize access to management of audit logging functionality to only [Assignment: organization-defined subset of privileged users or roles]. |
AU-9(5) | Audit and Accountability | Protection of Audit Information | Dual Authorization | Enforce dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information]. |
AU-9(6) | Audit and Accountability | Protection of Audit Information | Read-only Access | Authorize read-only access to audit information to [Assignment: organization-defined subset of privileged users or roles]. |
AU-9(7) | Audit and Accountability | Protection of Audit Information | Store on Component with Different Operating System | Store audit information on a component running a different operating system than the system or component being audited. |
AU-10 | Audit and Accountability | Non-repudiation | Provide irrefutable evidence that an individual (or process acting on behalf of an individual) has performed [Assignment: organization-defined actions to be covered by non-repudiation]. |
AU-10(1) | Audit and Accountability | Non-repudiation | Association of Identities |
|
AU-10(2) | Audit and Accountability | Non-repudiation | Validate Binding of Information Producer Identity |
|
AU-10(3) | Audit and Accountability | Non-repudiation | Chain of Custody | Maintain reviewer or releaser credentials within the established chain of custody for information reviewed or released. |
AU-10(4) | Audit and Accountability | Non-repudiation | Validate Binding of Information Reviewer Identity |
|
AU-11 | Audit and Accountability | Audit Record Retention | Retain audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of incidents and to meet regulatory and organizational information retention requirements. |
AU-11(1) | Audit and Accountability | Audit Record Retention | Long-term Retrieval Capability | Employ [Assignment: organization-defined measures] to ensure that long-term audit records generated by the system can be retrieved. |
AU-12 | Audit and Accountability | Audit Record Generation |
|
AU-12(1) | Audit and Accountability | Audit Record Generation | System-wide and Time-correlated Audit Trail | Compile audit records from [Assignment: organization-defined system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail]. |
AU-12(2) | Audit and Accountability | Audit Record Generation | Standardized Formats | Produce a system-wide (logical or physical) audit trail composed of audit records in a standardized format. |
AU-12(3) | Audit and Accountability | Audit Record Generation | Changes by Authorized Individuals | Provide and implement the capability for [Assignment: organization-defined individuals or roles] to change the logging to be performed on [Assignment: organization-defined system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds]. |
AU-12(4) | Audit and Accountability | Audit Record Generation | Query Parameter Audits of Personally Identifiable Information | Provide and implement the capability for auditing the parameters of user query events for data sets containing personally identifiable information. |
AU-13 | Audit and Accountability | Monitoring for Information Disclosure |
|
AU-13(1) | Audit and Accountability | Monitoring for Information Disclosure | Use of Automated Tools | Monitor open-source information and information sites using [Assignment: organization-defined automated mechanisms]. |
AU-13(2) | Audit and Accountability | Monitoring for Information Disclosure | Review of Monitored Sites | Review the list of open-source information sites being monitored [Assignment: organization-defined frequency]. |
AU-13(3) | Audit and Accountability | Monitoring for Information Disclosure | Unauthorized Replication of Information | Employ discovery techniques, processes, and tools to determine if external entities are replicating organizational information in an unauthorized manner. |
AU-14 | Audit and Accountability | Session Audit |
|
AU-14(1) | Audit and Accountability | Session Audit | System Start-up | Initiate session audits automatically at system start-up. |
AU-14(3) | Audit and Accountability | Session Audit | Remote Viewing and Listening | Provide and implement the capability for authorized users to remotely view and hear content related to an established user session in real time. |
AU-16 | Audit and Accountability | Cross-organizational Audit Logging | Employ [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries. |
AU-16(1) | Audit and Accountability | Cross-organizational Audit Logging | Identity Preservation | Preserve the identity of individuals in cross-organizational audit trails. |
AU-16(2) | Audit and Accountability | Cross-organizational Audit Logging | Sharing of Audit Information | Provide cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements]. |
AU-16(3) | Audit and Accountability | Cross-organizational Audit Logging | Disassociability | Implement [Assignment: organization-defined measures] to disassociate individuals from audit information transmitted across organizational boundaries. |
CA-1 | Assessment, Authorization, and Monitoring | Policy and Procedures |
|
CA-2 | Assessment, Authorization, and Monitoring | Control Assessments |
|
CA-2(1) | Assessment, Authorization, and Monitoring | Control Assessments | Independent Assessors | Employ independent assessors or assessment teams to conduct control assessments. |
CA-2(2) | Assessment, Authorization, and Monitoring | Control Assessments | Specialized Assessments | Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment]]. |
CA-2(3) | Assessment, Authorization, and Monitoring | Control Assessments | Leveraging Results from External Organizations | Leverage the results of control assessments performed by [Assignment: organization-defined external organization] on [Assignment: organization-defined system] when the assessment meets [Assignment: organization-defined requirements]. |
CA-3 | Assessment, Authorization, and Monitoring | Information Exchange |
|
CA-3(6) | Assessment, Authorization, and Monitoring | Information Exchange | Transfer Authorizations | Verify that individuals or systems transferring data between interconnecting systems have the requisite authorizations (i.e., write permissions or privileges) prior to accepting such data. |
CA-3(7) | Assessment, Authorization, and Monitoring | Information Exchange | Transitive Information Exchanges |
|
CA-5 | Assessment, Authorization, and Monitoring | Plan of Action and Milestones |
|
CA-5(1) | Assessment, Authorization, and Monitoring | Plan of Action and Milestones | Automation Support for Accuracy and Currency | Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. |
CA-6 | Assessment, Authorization, and Monitoring | Authorization |
|
CA-6(1) | Assessment, Authorization, and Monitoring | Authorization | Joint Authorization — Intra-organization | Employ a joint authorization process for the system that includes multiple authorizing officials from the same organization conducting the authorization. |
CA-6(2) | Assessment, Authorization, and Monitoring | Authorization | Joint Authorization — Inter-organization | Employ a joint authorization process for the system that includes multiple authorizing officials with at least one authorizing official from an organization external to the organization conducting the authorization. |
CA-7 | Assessment, Authorization, and Monitoring | Continuous Monitoring | Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
|
CA-7(1) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Independent Assessment | Employ independent assessors or assessment teams to monitor the controls in the system on an ongoing basis. |
CA-7(3) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Trend Analyses | Employ trend analyses to determine if control implementations, the frequency of continuous monitoring activities, and the types of activities used in the continuous monitoring process need to be modified based on empirical data. |
CA-7(4) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Risk Monitoring | Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:
|
CA-7(5) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Consistency Analysis | Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. |
CA-7(6) | Assessment, Authorization, and Monitoring | Continuous Monitoring | Automation Support for Monitoring | Ensure the accuracy, currency, and availability of monitoring results for the system using [Assignment: organization-defined automated mechanisms]. |
CA-8 | Assessment, Authorization, and Monitoring | Penetration Testing | Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components]. |
CA-8(1) | Assessment, Authorization, and Monitoring | Penetration Testing | Independent Penetration Testing Agent or Team | Employ an independent penetration testing agent or team to perform penetration testing on the system or system components. |
CA-8(2) | Assessment, Authorization, and Monitoring | Penetration Testing | Red Team Exercises | Employ the following red-team exercises to simulate attempts by adversaries to compromise organizational systems in accordance with applicable rules of engagement: [Assignment: organization-defined red team exercises]. |
CA-8(3) | Assessment, Authorization, and Monitoring | Penetration Testing | Facility Penetration Testing | Employ a penetration testing process that includes [Assignment: organization-defined frequency] [Selection: announced; unannounced] attempts to bypass or circumvent controls associated with physical access points to the facility. |
CA-9 | Assessment, Authorization, and Monitoring | Internal System Connections |
|
CA-9(1) | Assessment, Authorization, and Monitoring | Internal System Connections | Compliance Checks | Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection. |
CM-1 | Configuration Management | Policy and Procedures |
|
CM-2 | Configuration Management | Baseline Configuration |
|
CM-2(2) | Configuration Management | Baseline Configuration | Automation Support for Accuracy and Currency | Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms]. |
CM-2(3) | Configuration Management | Baseline Configuration | Retention of Previous Configurations | Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. |
CM-2(6) | Configuration Management | Baseline Configuration | Development and Test Environments | Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration. |
CM-2(7) | Configuration Management | Baseline Configuration | Configure Systems and Components for High-risk Areas |
|
CM-3 | Configuration Management | Configuration Change Control |
|
CM-3(1) | Configuration Management | Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes | Use [Assignment: organization-defined automated mechanisms] to:
|
CM-3(2) | Configuration Management | Configuration Change Control | Testing, Validation, and Documentation of Changes | Test, validate, and document changes to the system before finalizing the implementation of the changes. |
CM-3(3) | Configuration Management | Configuration Change Control | Automated Change Implementation | Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms]. |
CM-3(4) | Configuration Management | Configuration Change Control | Security and Privacy Representatives | Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element]. |
CM-3(5) | Configuration Management | Configuration Change Control | Automated Security Response | Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses]. |
CM-3(6) | Configuration Management | Configuration Change Control | Cryptography Management | Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. |
CM-3(7) | Configuration Management | Configuration Change Control | Review System Changes | Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. |
CM-3(8) | Configuration Management | Configuration Change Control | Prevent or Restrict Configuration Changes | Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances]. |
CM-4 | Configuration Management | Impact Analyses | Analyze changes to the system to determine potential security and privacy impacts prior to change implementation. |
CM-4(1) | Configuration Management | Impact Analyses | Separate Test Environments | Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice. |
CM-4(2) | Configuration Management | Impact Analyses | Verification of Controls | After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system. |
CM-5 | Configuration Management | Access Restrictions for Change | Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system. |
CM-5(1) | Configuration Management | Access Restrictions for Change | Automated Access Enforcement and Audit Records |
|
CM-5(4) | Configuration Management | Access Restrictions for Change | Dual Authorization | Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information]. |
CM-5(5) | Configuration Management | Access Restrictions for Change | Privilege Limitation for Production and Operation |
|
CM-5(6) | Configuration Management | Access Restrictions for Change | Limit Library Privileges | Limit privileges to change software resident within software libraries. |
CM-6 | Configuration Management | Configuration Settings |
|
CM-6(1) | Configuration Management | Configuration Settings | Automated Management, Application, and Verification | Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. |
CM-6(2) | Configuration Management | Configuration Settings | Respond to Unauthorized Changes | Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions]. |
CM-7 | Configuration Management | Least Functionality |
|
CM-7(1) | Configuration Management | Least Functionality | Periodic Review |
|
CM-7(2) | Configuration Management | Least Functionality | Prevent Program Execution | Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage]. |
CM-7(3) | Configuration Management | Least Functionality | Registration Compliance | Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services]. |
CM-7(4) | Configuration Management | Least Functionality | Unauthorized Software — Deny-by-exception |
|
CM-7(5) | Configuration Management | Least Functionality | Authorized Software — Allow-by-exception |
|
CM-7(6) | Configuration Management | Least Functionality | Confined Environments with Limited Privileges | Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software]. |
CM-7(7) | Configuration Management | Least Functionality | Code Execution in Protected Environments | Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:
|
CM-7(8) | Configuration Management | Least Functionality | Binary or Machine Executable Code |
|
CM-7(9) | Configuration Management | Least Functionality | Prohibiting The Use of Unauthorized Hardware |
|
CM-8 | Configuration Management | System Component Inventory |
|
CM-8(1) | Configuration Management | System Component Inventory | Updates During Installation and Removal | Update the inventory of system components as part of component installations, removals, and system updates. |
CM-8(2) | Configuration Management | System Component Inventory | Automated Maintenance | Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms]. |
CM-8(3) | Configuration Management | System Component Inventory | Automated Unauthorized Component Detection |
|
CM-8(4) | Configuration Management | System Component Inventory | Accountability Information | Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components. |
CM-8(6) | Configuration Management | System Component Inventory | Assessed Configurations and Approved Deviations | Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory. |
CM-8(7) | Configuration Management | System Component Inventory | Centralized Repository | Provide a centralized repository for the inventory of system components. |
CM-8(8) | Configuration Management | System Component Inventory | Automated Location Tracking | Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms]. |
CM-8(9) | Configuration Management | System Component Inventory | Assignment of Components to Systems |
|
CM-9 | Configuration Management | Configuration Management Plan | Develop, document, and implement a configuration management plan for the system that:
|
CM-9(1) | Configuration Management | Configuration Management Plan | Assignment of Responsibility | Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development. |
CM-10 | Configuration Management | Software Usage Restrictions |
|
CM-10(1) | Configuration Management | Software Usage Restrictions | Open-source Software | Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions]. |
CM-11 | Configuration Management | User-installed Software |
|
CM-11(2) | Configuration Management | User-installed Software | Software Installation with Privileged Status | Allow user installation of software only with explicit privileged status. |
CM-11(3) | Configuration Management | User-installed Software | Automated Enforcement and Monitoring | Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms]. |
CM-12 | Configuration Management | Information Location |
|
CM-12(1) | Configuration Management | Information Location | Automated Tools to Support Information Location | Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy. |
CM-13 | Configuration Management | Data Action Mapping | Develop and document a map of system data actions. |
CM-14 | Configuration Management | Signed Components | Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
CP-1 | Contingency Planning | Policy and Procedures |
|
CP-2 | Contingency Planning | Contingency Plan |
|
CP-2(1) | Contingency Planning | Contingency Plan | Coordinate with Related Plans | Coordinate contingency plan development with organizational elements responsible for related plans. |
CP-2(2) | Contingency Planning | Contingency Plan | Capacity Planning | Conduct capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations. |
CP-2(3) | Contingency Planning | Contingency Plan | Resume Mission and Business Functions | Plan for the resumption of [Selection: all; essential] mission and business functions within [Assignment: organization-defined time period] of contingency plan activation. |
CP-2(5) | Contingency Planning | Contingency Plan | Continue Mission and Business Functions | Plan for the continuance of [Selection: all; essential] mission and business functions with minimal or no loss of operational continuity and sustains that continuity until full system restoration at primary processing and/or storage sites. |
CP-2(6) | Contingency Planning | Contingency Plan | Alternate Processing and Storage Sites | Plan for the transfer of [Selection: all; essential] mission and business functions to alternate processing and/or storage sites with minimal or no loss of operational continuity and sustain that continuity through system restoration to primary processing and/or storage sites. |
CP-2(7) | Contingency Planning | Contingency Plan | Coordinate with External Service Providers | Coordinate the contingency plan with the contingency plans of external service providers to ensure that contingency requirements can be satisfied. |
CP-2(8) | Contingency Planning | Contingency Plan | Identify Critical Assets | Identify critical system assets supporting [Selection: all; essential] mission and business functions. |
CP-3 | Contingency Planning | Contingency Training |
|
CP-3(1) | Contingency Planning | Contingency Training | Simulated Events | Incorporate simulated events into contingency training to facilitate effective response by personnel in crisis situations. |
CP-3(2) | Contingency Planning | Contingency Training | Mechanisms Used in Training Environments | Employ mechanisms used in operations to provide a more thorough and realistic contingency training environment. |
CP-4 | Contingency Planning | Contingency Plan Testing |
|
CP-4(1) | Contingency Planning | Contingency Plan Testing | Coordinate with Related Plans | Coordinate contingency plan testing with organizational elements responsible for related plans. |
CP-4(2) | Contingency Planning | Contingency Plan Testing | Alternate Processing Site | Test the contingency plan at the alternate processing site:
|
CP-4(3) | Contingency Planning | Contingency Plan Testing | Automated Testing | Test the contingency plan using [Assignment: organization-defined automated mechanisms]. |
CP-4(4) | Contingency Planning | Contingency Plan Testing | Full Recovery and Reconstitution | Include a full recovery and reconstitution of the system to a known state as part of contingency plan testing. |
CP-4(5) | Contingency Planning | Contingency Plan Testing | Self-challenge | Employ [Assignment: organization-defined mechanisms] to [Assignment: organization-defined system or system component] to disrupt and adversely affect the system or system component. |
CP-6 | Contingency Planning | Alternate Storage Site |
|
CP-6(1) | Contingency Planning | Alternate Storage Site | Separation from Primary Site | Identify an alternate storage site that is sufficiently separated from the primary storage site to reduce susceptibility to the same threats. |
CP-6(2) | Contingency Planning | Alternate Storage Site | Recovery Time and Recovery Point Objectives | Configure the alternate storage site to facilitate recovery operations in accordance with recovery time and recovery point objectives. |
CP-6(3) | Contingency Planning | Alternate Storage Site | Accessibility | Identify potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outline explicit mitigation actions. |
CP-7 | Contingency Planning | Alternate Processing Site |
|
CP-7(1) | Contingency Planning | Alternate Processing Site | Separation from Primary Site | Identify an alternate processing site that is sufficiently separated from the primary processing site to reduce susceptibility to the same threats. |
CP-7(2) | Contingency Planning | Alternate Processing Site | Accessibility | Identify potential accessibility problems to alternate processing sites in the event of an area-wide disruption or disaster and outlines explicit mitigation actions. |
CP-7(3) | Contingency Planning | Alternate Processing Site | Priority of Service | Develop alternate processing site agreements that contain priority-of-service provisions in accordance with availability requirements (including recovery time objectives). |
CP-7(4) | Contingency Planning | Alternate Processing Site | Preparation for Use | Prepare the alternate processing site so that the site can serve as the operational site supporting essential mission and business functions. |
CP-7(6) | Contingency Planning | Alternate Processing Site | Inability to Return to Primary Site | Plan and prepare for circumstances that preclude returning to the primary processing site. |
CP-8 | Contingency Planning | Telecommunications Services | Establish alternate telecommunications services, including necessary agreements to permit the resumption of [Assignment: organization-defined system operations] for essential mission and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites. |
CP-8(1) | Contingency Planning | Telecommunications Services | Priority of Service Provisions |
|
CP-8(2) | Contingency Planning | Telecommunications Services | Single Points of Failure | Obtain alternate telecommunications services to reduce the likelihood of sharing a single point of failure with primary telecommunications services. |
CP-8(3) | Contingency Planning | Telecommunications Services | Separation of Primary and Alternate Providers | Obtain alternate telecommunications services from providers that are separated from primary service providers to reduce susceptibility to the same threats. |
CP-8(4) | Contingency Planning | Telecommunications Services | Provider Contingency Plan |
|
CP-8(5) | Contingency Planning | Telecommunications Services | Alternate Telecommunication Service Testing | Test alternate telecommunication services [Assignment: organization-defined frequency]. |
CP-9 | Contingency Planning | System Backup |
|
CP-9(1) | Contingency Planning | System Backup | Testing for Reliability and Integrity | Test backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. |
CP-9(2) | Contingency Planning | System Backup | Test Restoration Using Sampling | Use a sample of backup information in the restoration of selected system functions as part of contingency plan testing. |
CP-9(3) | Contingency Planning | System Backup | Separate Storage for Critical Information | Store backup copies of [Assignment: organization-defined critical system software and other security-related information] in a separate facility or in a fire rated container that is not collocated with the operational system. |
CP-9(5) | Contingency Planning | System Backup | Transfer to Alternate Storage Site | Transfer system backup information to the alternate storage site [Assignment: organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives]. |
CP-9(6) | Contingency Planning | System Backup | Redundant Secondary System | Conduct system backup by maintaining a redundant secondary system that is not collocated with the primary system and that can be activated without loss of information or disruption to operations. |
CP-9(7) | Contingency Planning | System Backup | Dual Authorization for Deletion or Destruction | Enforce dual authorization for the deletion or destruction of [Assignment: organization-defined backup information]. |
CP-9(8) | Contingency Planning | System Backup | Cryptographic Protection | Implement cryptographic mechanisms to prevent unauthorized disclosure and modification of [Assignment: organization-defined backup information]. |
CP-10 | Contingency Planning | System Recovery and Reconstitution | Provide for the recovery and reconstitution of the system to a known state within [Assignment: organization-defined time period consistent with recovery time and recovery point objectives] after a disruption, compromise, or failure. |
CP-10(2) | Contingency Planning | System Recovery and Reconstitution | Transaction Recovery | Implement transaction recovery for systems that are transaction-based. |
CP-10(4) | Contingency Planning | System Recovery and Reconstitution | Restore Within Time Period | Provide the capability to restore system components within [Assignment: organization-defined restoration time periods] from configuration-controlled and integrity-protected information representing a known, operational state for the components. |
CP-10(6) | Contingency Planning | System Recovery and Reconstitution | Component Protection | Protect system components used for recovery and reconstitution. |
CP-11 | Contingency Planning | Alternate Communications Protocols | Provide the capability to employ [Assignment: organization-defined alternative communications protocols] in support of maintaining continuity of operations. |
CP-12 | Contingency Planning | Safe Mode | When [Assignment: organization-defined conditions] are detected, enter a safe mode of operation with [Assignment: organization-defined restrictions of safe mode of operation]. |
CP-13 | Contingency Planning | Alternative Security Mechanisms | Employ [Assignment: organization-defined alternative or supplemental security mechanisms] for satisfying [Assignment: organization-defined security functions] when the primary means of implementing the security function is unavailable or compromised. |
IA-1 | Identification and Authentication | Policy and Procedures |
|
IA-2 | Identification and Authentication | Identification and Authentication (organizational Users) | Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users. |
IA-2(1) | Identification and Authentication | Identification and Authentication (organizational Users) | Multi-factor Authentication to Privileged Accounts | Implement multi-factor authentication for access to privileged accounts. |
IA-2(2) | Identification and Authentication | Identification and Authentication (organizational Users) | Multi-factor Authentication to Non-privileged Accounts | Implement multi-factor authentication for access to non-privileged accounts. |
IA-2(5) | Identification and Authentication | Identification and Authentication (organizational Users) | Individual Authentication with Group Authentication | When shared accounts or authenticators are employed, require users to be individually authenticated before granting access to the shared accounts or resources. |
IA-2(6) | Identification and Authentication | Identification and Authentication (organizational Users) | Access to Accounts —separate Device | Implement multi-factor authentication for [Selection (one or more): local; network; remote] access to [Selection (one or more): privileged accounts; non-privileged accounts] such that:
|
IA-2(8) | Identification and Authentication | Identification and Authentication (organizational Users) | Access to Accounts — Replay Resistant | Implement replay-resistant authentication mechanisms for access to [Selection (one or more): privileged accounts; non-privileged accounts]. |
IA-2(10) | Identification and Authentication | Identification and Authentication (organizational Users) | Single Sign-on | Provide a single sign-on capability for [Assignment: organization-defined system accounts and services]. |
IA-2(12) | Identification and Authentication | Identification and Authentication (organizational Users) | Acceptance of PIV Credentials | Accept and electronically verify Personal Identity Verification-compliant credentials. |
IA-2(13) | Identification and Authentication | Identification and Authentication (organizational Users) | Out-of-band Authentication | Implement the following out-of-band authentication mechanisms under [Assignment: organization-defined conditions]: [Assignment: organization-defined out-of-band authentication]. |
IA-3 | Identification and Authentication | Device Identification and Authentication | Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection. |
IA-3(1) | Identification and Authentication | Device Identification and Authentication | Cryptographic Bidirectional Authentication | Authenticate [Assignment: organization-defined devices and/or types of devices] before establishing [Selection (one or more): local; remote; network] connection using bidirectional authentication that is cryptographically based. |
IA-3(3) | Identification and Authentication | Device Identification and Authentication | Dynamic Address Allocation |
|
IA-3(4) | Identification and Authentication | Device Identification and Authentication | Device Attestation | Handle device identification and authentication based on attestation by [Assignment: organization-defined configuration management process]. |
IA-4 | Identification and Authentication | Identifier Management | Manage system identifiers by:
|
IA-4(1) | Identification and Authentication | Identifier Management | Prohibit Account Identifiers as Public Identifiers | Prohibit the use of system account identifiers that are the same as public identifiers for individual accounts. |
IA-4(4) | Identification and Authentication | Identifier Management | Identify User Status | Manage individual identifiers by uniquely identifying each individual as [Assignment: organization-defined characteristic identifying individual status]. |
IA-4(5) | Identification and Authentication | Identifier Management | Dynamic Management | Manage individual identifiers dynamically in accordance with [Assignment: organization-defined dynamic identifier policy]. |
IA-4(6) | Identification and Authentication | Identifier Management | Cross-organization Management | Coordinate with the following external organizations for cross-organization management of identifiers: [Assignment: organization-defined external organizations]. |
IA-4(8) | Identification and Authentication | Identifier Management | Pairwise Pseudonymous Identifiers | Generate pairwise pseudonymous identifiers. |
IA-4(9) | Identification and Authentication | Identifier Management | Attribute Maintenance and Protection | Maintain the attributes for each uniquely identified individual, device, or service in [Assignment: organization-defined protected central storage]. |
IA-5 | Identification and Authentication | Authenticator Management | Manage system authenticators by:
|
IA-5(1) | Identification and Authentication | Authenticator Management | Password-based Authentication | For password-based authentication:
|
IA-5(2) | Identification and Authentication | Authenticator Management | Public Key-based Authentication |
|
IA-5(5) | Identification and Authentication | Authenticator Management | Change Authenticators Prior to Delivery | Require developers and installers of system components to provide unique authenticators or change default authenticators prior to delivery and installation. |
IA-5(6) | Identification and Authentication | Authenticator Management | Protection of Authenticators | Protect authenticators commensurate with the security category of the information to which use of the authenticator permits access. |
IA-5(7) | Identification and Authentication | Authenticator Management | No Embedded Unencrypted Static Authenticators | Ensure that unencrypted static authenticators are not embedded in applications or other forms of static storage. |
IA-5(8) | Identification and Authentication | Authenticator Management | Multiple System Accounts | Implement [Assignment: organization-defined security controls] to manage the risk of compromise due to individuals having accounts on multiple systems. |
IA-5(9) | Identification and Authentication | Authenticator Management | Federated Credential Management | Use the following external organizations to federate credentials: [Assignment: organization-defined external organizations]. |
IA-5(10) | Identification and Authentication | Authenticator Management | Dynamic Credential Binding | Bind identities and authenticators dynamically using the following rules: [Assignment: organization-defined binding rules]. |
IA-5(12) | Identification and Authentication | Authenticator Management | Biometric Authentication Performance | For biometric-based authentication, employ mechanisms that satisfy the following biometric quality requirements [Assignment: organization-defined biometric quality requirements]. |
IA-5(13) | Identification and Authentication | Authenticator Management | Expiration of Cached Authenticators | Prohibit the use of cached authenticators after [Assignment: organization-defined time period]. |
IA-5(14) | Identification and Authentication | Authenticator Management | Managing Content of PKI Trust Stores | For PKI-based authentication, employ an organization-wide methodology for managing the content of PKI trust stores installed across all platforms, including networks, operating systems, browsers, and applications. |
IA-5(15) | Identification and Authentication | Authenticator Management | GSA-approved Products and Services | Use only General Services Administration-approved products and services for identity, credential, and access management. |
IA-5(16) | Identification and Authentication | Authenticator Management | In-person or Trusted External Party Authenticator Issuance | Require that the issuance of [Assignment: organization-defined types of and/or specific authenticators] be conducted [Selection: in person; by a trusted external party] before [Assignment: organization-defined registration authority] with authorization by [Assignment: organization-defined personnel or roles]. |
IA-5(17) | Identification and Authentication | Authenticator Management | Presentation Attack Detection for Biometric Authenticators | Employ presentation attack detection mechanisms for biometric-based authentication. |
IA-5(18) | Identification and Authentication | Authenticator Management | Password Managers |
|
IA-6 | Identification and Authentication | Authentication Feedback | Obscure feedback of authentication information during the authentication process to protect the information from possible exploitation and use by unauthorized individuals. |
IA-7 | Identification and Authentication | Cryptographic Module Authentication | Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication. |
IA-8 | Identification and Authentication | Identification and Authentication (non-organizational Users) | Uniquely identify and authenticate non-organizational users or processes acting on behalf of non-organizational users. |
IA-8(1) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Acceptance of PIV Credentials from Other Agencies | Accept and electronically verify Personal Identity Verification-compliant credentials from other federal agencies. |
IA-8(2) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Acceptance of External Authenticators |
|
IA-8(4) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Use of Defined Profiles | Conform to the following profiles for identity management [Assignment: organization-defined identity management profiles]. |
IA-8(5) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Acceptance of PVI-I Credentials | Accept and verify federated or PKI credentials that meet [Assignment: organization-defined policy]. |
IA-8(6) | Identification and Authentication | Identification and Authentication (non-organizational Users) | Disassociability | Implement the following measures to disassociate user attributes or identifier assertion relationships among individuals, credential service providers, and relying parties: [Assignment: organization-defined measures]. |
IA-9 | Identification and Authentication | Service Identification and Authentication | Uniquely identify and authenticate [Assignment: organization-defined system services and applications] before establishing communications with devices, users, or other services or applications. |
IA-10 | Identification and Authentication | Adaptive Authentication | Require individuals accessing the system to employ [Assignment: organization-defined supplemental authentication techniques or mechanisms] under specific [Assignment: organization-defined circumstances or situations]. |
IA-11 | Identification and Authentication | Re-authentication | Require users to re-authenticate when [Assignment: organization-defined circumstances or situations requiring re-authentication]. |
IA-12 | Identification and Authentication | Identity Proofing |
|
IA-12(1) | Identification and Authentication | Identity Proofing | Supervisor Authorization | Require that the registration process to receive an account for logical access includes supervisor or sponsor authorization. |
IA-12(2) | Identification and Authentication | Identity Proofing | Identity Evidence | Require evidence of individual identification be presented to the registration authority. |
IA-12(3) | Identification and Authentication | Identity Proofing | Identity Evidence Validation and Verification | Require that the presented identity evidence be validated and verified through [Assignment: organizational defined methods of validation and verification]. |
IA-12(4) | Identification and Authentication | Identity Proofing | In-person Validation and Verification | Require that the validation and verification of identity evidence be conducted in person before a designated registration authority. |
IA-12(5) | Identification and Authentication | Identity Proofing | Address Confirmation | Require that a [Selection: registration code; notice of proofing] be delivered through an out-of-band channel to verify the users address (physical or digital) of record. |
IA-12(6) | Identification and Authentication | Identity Proofing | Accept Externally-proofed Identities | Accept externally-proofed identities at [Assignment: organization-defined identity assurance level]. |
IR-1 | Incident Response | Policy and Procedures |
|
IR-2 | Incident Response | Incident Response Training |
|
IR-2(1) | Incident Response | Incident Response Training | Simulated Events | Incorporate simulated events into incident response training to facilitate the required response by personnel in crisis situations. |
IR-2(2) | Incident Response | Incident Response Training | Automated Training Environments | Provide an incident response training environment using [Assignment: organization-defined automated mechanisms]. |
IR-2(3) | Incident Response | Incident Response Training | Breach | Provide incident response training on how to identify and respond to a breach, including the organization’s process for reporting a breach. |
IR-3 | Incident Response | Incident Response Testing | Test the effectiveness of the incident response capability for the system [Assignment: organization-defined frequency] using the following tests: [Assignment: organization-defined tests]. |
IR-3(1) | Incident Response | Incident Response Testing | Automated Testing | Test the incident response capability using [Assignment: organization-defined automated mechanisms]. |
IR-3(2) | Incident Response | Incident Response Testing | Coordination with Related Plans | Coordinate incident response testing with organizational elements responsible for related plans. |
IR-3(3) | Incident Response | Incident Response Testing | Continuous Improvement | Use qualitative and quantitative data from testing to:
|
IR-4 | Incident Response | Incident Handling |
|
IR-4(1) | Incident Response | Incident Handling | Automated Incident Handling Processes | Support the incident handling process using [Assignment: organization-defined automated mechanisms]. |
IR-4(2) | Incident Response | Incident Handling | Dynamic Reconfiguration | Include the following types of dynamic reconfiguration for [Assignment: organization-defined system components] as part of the incident response capability: [Assignment: organization-defined types of dynamic reconfiguration]. |
IR-4(3) | Incident Response | Incident Handling | Continuity of Operations | Identify [Assignment: organization-defined classes of incidents] and take the following actions in response to those incidents to ensure continuation of organizational mission and business functions: [Assignment: organization-defined actions to take in response to classes of incidents]. |