The organization manages information system accounts by identifying authorized users of the information system and specifying access privileges.
The organization reviews information system accounts for compliance with account management requirements per organization-defined frequency.
The organization manages information system accounts by notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes.
The information system enforces information flow control using explicit security attributes on information, source, and destination objects as a basis for flow control decisions.
The information system uses protected processing domains to enforce organization-defined information flow control policies as a basis for flow control decisions.
The information system enforces dynamic information flow control based on organization-defined policies.
The organization requires that users of information system accounts or roles, with access to organization-defined security functions or security-relevant information, use non-privileged accounts, or roles, when accessing nonsecurity functions.
The information system retains the session lock until the user reestablishes access using established identification and authentication procedures.
The information system routes all remote accesses through an organization-defined number of managed network access control points.
The organization develops an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.
The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors) as part of initial training for new users.
The organization includes practical exercises in security awareness training that simulate actual cyber attacks.
The organization reviews and updates the audit and accountability policy on an organization-defined frequency.
The organization determines the information system must be capable of auditing an organization-defined list of auditable events.
The organization centrally manages the content of audit records generated by organization-defined information system components.
The organization's security assessment plan describes assessment roles and responsibilities.
The organization assesses, on an organization-defined frequency, the security controls in the information system and its environment of operation to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements.
The organization develops a plan of action and milestones for the information system to document the organization^s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system.
The organization implements a continuous monitoring program that includes reporting the security status of the organization and the information system to organization-defined personnel or roles on an organization-defined frequency.
The organization documents a baseline configuration of the information system.
The organization employs automated mechanisms to implement changes to the current information system baseline.
The organization deploys the updated information system baseline across the installed base.
The organization approves logical access restrictions associated with changes to the information system.
The organization limits information system developer/integrator privileges to change system information directly within a production environment.
The organization defines the frequency to reevaluate information system developer/integrator privileges.
The organization reviews information system developer/integrator privileges per organization-defined frequency.
The organization reevaluates information system developer/integrator privileges per organization-defined frequency.
The organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.
The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability.
The organization ensures compliance with organization-defined registration requirements for functions, ports, protocols, and services.
The organization documents an inventory of information system components that accurately reflects the current information system.
The organization maintains an inventory of information system components that accurately reflects the current information system.
The organization develops an inventory of information system components that includes all components within the authorization boundary of the information system.
The organization updates the inventory of information system components as an integral part of component installations.
The organization employs automated mechanisms to help maintain an up-to-date inventory of information system components.
The organization employs automated mechanisms to help maintain a complete inventory of information system components.
The organization implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures.
The organization develops a configuration management plan for the information system that defines the configuration items for the information system.
The organization documents a configuration management plan for the information system that defines the configuration items for the information system.
The organization develops and documents a contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization reviews and updates the current contingency planning policy in accordance with an organization-defined frequency.
The organization develops and documents procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
The organization develops a contingency plan for the information system that addresses maintaining essential business functions despite an information system failure.
The organization updates the contingency plan to address changes to the information system.
The organization updates the contingency plan to address changes to the environment of operation.
The organization updates the contingency plan to address problems encountered during contingency plan implementation, execution, or testing.
The organization communicates contingency plan changes to an organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements.
The organization coordinates contingency plan development with organizational elements responsible for related plans.
The organization conducts capacity planning so that necessary capacity for information processing exists during contingency operations.
The organization conducts capacity planning so that necessary capacity for telecommunications exists during contingency operations.
The organization conducts capacity planning so that necessary capacity for environmental support exists during contingency operations.
The organization defines the time period for planning the resumption of essential missions as a result of contingency plan activation.
The organization plans for the transfer of essential business functions to alternate processing and/or storage sites with little or no loss of operational continuity.
The organization defines the frequency of refresher contingency training to information system users.
The organization provides contingency training to information system users consistent with assigned roles and responsibilities within an organization-defined time period of assuming a contingency role or responsibility.
The organization defines the frequency with which to test the contingency plan for the information system.
The organization coordinates contingency plan testing with organizational elements responsible for related plans.
The organization coordinates contingency plan exercises with organizational elements responsible for related plans.
The organization includes a full recovery and reconstitution of the information system to a known state as part of contingency plan testing.
The organization establishes an alternate storage site including necessary agreements to permit the storage and retrieval of information system backup information.
The organization develops alternate processing site agreements that contain priority-of-service provisions in accordance with the organizational availability requirements (including recovery time objectives).
The organization prepares the alternate processing site so that it is ready to be used as the operational site supporting essential missions.
The organization ensures that the alternate processing site provides information security safeguards equivalent to that of the primary site.
The organization defines the time period within which to permit the resumption of organization-defined information system operations for essential business functions when the primary telecommunications capabilities are unavailable at either the primary or alternate processing or storage sites.
The organization requires primary telecommunications service providers to have contingency plans.
The organization requires alternate telecommunications service providers to have contingency plans.
The organization defines the frequency of conducting user-level information backups to support recovery time objectives and recovery point objectives.
The organization conducts backups of user-level information contained in the information system per organization-defined frequency that is consistent with recovery time and recovery point objectives.
The organization defines the frequency of conducting system-level information backups to support recovery time objectives and recovery point objectives.
The organization protects the confidentiality, integrity, and availability of backup information at storage locations.
The organization stores backup copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not colocated with the operational system.
The organization transfers information system backup information to the alternate storage site in accordance with the organization-defined time period and transfer rate consistent with the recovery time and recovery point objectives.
The organization maintains a redundant secondary information system that is not collocated with the primary system.
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption.
The organization provides for the recovery and reconstitution of the information system to a known state after a compromise.
The organization provides for the recovery and reconstitution of the information system to a known state after a failure.
The information system implements transaction recovery for systems that are transaction-based.
The organization disseminates a security planning policy to organization-defined personnel or roles.
The organization reviews/updates, per organization-defined frequency, a formal, documented security planning policy.
The organization develops and documents procedures to facilitate the implementation of the security planning policy and associated security planning controls.
The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
The organization develops a security Concept of Operations (CONOPS) for the information system containing, at a minimum: the purpose of the system; a description of the system architecture; the security authorization schedule; and the security categorization and associated factors considered in determining the categorization.
The organization defines the frequency with which to review and update the security CONOPS.
The organization reviews and updates the security CONOPS in accordance with organization-defined frequency.
The organization develops a functional architecture for the information system that identifies and maintains external interfaces.
The organization develops a functional architecture for the information system that identifies and maintains the information being exchanged across the interfaces.
The organization develops a functional architecture for the information system that identifies and maintains the protection mechanisms associated with each interface.
The organization develops a functional architecture for the information system that identifies and maintains user roles.
The organization includes in the rules of behavior explicit restrictions on the use of social media/networking sites.
The organization includes in the rules of behavior explicit restrictions on posting organizational information on public websites.
The organization includes in the rules of behavior, explicit restrictions on sharing information system account information.
The organization conducts a privacy impact assessment on the information system in accordance with OMB policy.
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational individuals.
The organization defines the frequency with which to review and update the current system and services acquisition policy.
The organization develops and documents a system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization disseminates to organization-defined personnel or roles a system and services acquisition policy.
The organization includes a determination of information security requirements for the information system in business process planning.
The organization establishes a discrete line item for information security in organizational budgeting documentation.
The organization manages the information system using an organization-defined system development life cycle that incorporates information security considerations.
The organization defines and documents information system security roles and responsibilities throughout the system development life cycle.
The organization documents information system security roles and responsibilities throughout the system development life cycle.
The organization includes security-related documentation requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
The organization includes developmental and evaluation-related assurance requirements, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development process employs quality control processes.
The organization requires software vendors/manufacturers to minimize flawed or malformed software by demonstrating that their software development processes employ validation techniques.
The organization ensures each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment.
The organization requires in acquisition documents, that information system components are delivered in a secure, documented configuration, and that the secure configuration is the default configuration for any software reinstalls or upgrades.
The organization employs only government off-the-shelf (GOTS) or commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.
The organization employs only commercial off-the-shelf (COTS) information assurance (IA) and IA-enabled information technology products that compose an NSA-approved solution to protect classified information when the networks used to transmit the information are at a lower classification level than the information being transmitted.
The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures.
The organization makes available to authorized personnel administrator documentation for the information system that describes secure configuration, installation, and operation of the information system; effective use and maintenance of the security features/functions; and known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions.
The organization obtains user documentation for the information system that describes user-accessible security features/functions and how to effectively use those security features/functions; methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and user responsibilities in maintaining the security of the information and information system.
The organization documents attempts to obtain information system, system component, or information system service documentation when such documentation is either unavailable or nonexistent.
The organization protects, as required, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system.
The organization makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.
The organization obtains vendor/manufacturer documentation that describes the security-relevant external interfaces to the information system with sufficient detail to permit analysis and testing.
The organization obtains vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
The organization obtains vendor/manufacturer documentation that describes the low-level design of the information system in terms of modules and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
The organization uses software and associated documentation in accordance with contract agreements and copyright laws.
The organization employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution.
The organization controls the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
The organization documents the use of peer-to-peer file sharing technology to ensure this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
The organization prohibits the use of binary executable code from sources with limited or no warranty without accompanying source code.
The organization prohibits the use of machine executable code from sources with limited or no warranty without accompanying source code.
The organization provides exceptions to the source code requirement only when no alternative solutions are available to support compelling mission/operational requirements.
The organization obtains express written consent of the authorizing official for exceptions to the source code requirement.
The organization (or information system) enforces explicit rules governing the installation of software by users.
The organization requires that providers of external information system services employ organization-defined security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
The organization documents government oversight with regard to external information system services.
The organization defines user roles and responsibilities with regard to external information system services.
The organization documents user roles and responsibilities with regard to external information system services.
The organization monitors security control compliance by external service providers.
The organization conducts an organizational assessment of risk prior to the acquisition of dedicated information security services.
The organization conducts an organizational assessment of risk prior to the outsourcing of dedicated information security services.
The organization requires information system developers to perform configuration management during information system implementation.
The organization requires information system developers to perform configuration management during information system operation.
The organization requires information system integrators to perform configuration management during information system design.
The organization requires information system integrators to perform configuration management during information system development.
The organization requires information system integrators to perform configuration management during information system implementation.
The organization requires information system integrators to perform configuration management during information system operation.
The organization requires information system developers to manage and control changes to the information system during design.
The organization requires information system integrators to manage and control changes to the information system during design.
The organization requires the developer of the information system, system component, or information system service to implement only organization-approved changes to the system, component, or service.
The organization requires information system integrators to implement only organization-approved changes.
The organization requires information system integrators to provide an integrity check of software to facilitate organizational verification of software integrity after delivery.
The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a security test and evaluation plan.
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process.
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes.
The organization requires information system developers, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes.
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security testing/evaluation processes.
The organization requires information system integrators, in consultation with associated security personnel (including security engineers), to document the results of the security flaw remediation processes.
The organization requires information system developers to employ code analysis tools to examine software for common flaws and document the results of the analysis.
The organization requires information system integrators to employ code analysis tools to examine software for common flaws and document the results of the analysis.
The organization requires information system integrators perform a vulnerability analysis to document risk mitigations.
The organization protects against supply chain threats to the information system, system component, or information system service by employing organization-defined security safeguards as part of a comprehensive, defense-in-breadth information security strategy.
The organization purchases all anticipated information system components and spares in the initial acquisition.
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system hardware.
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system software.
The organization conducts a due diligence review of suppliers prior to entering into contractual agreements to acquire information system firmware.
The organization employs a diverse set of suppliers for information technology products.
The organization employs a diverse set of suppliers for information system services.
The organization employs standard configurations for information system components.
The organization employs standard configurations for information technology products.
The organization minimizes the time between purchase decisions and delivery of information systems.
The organization minimizes the time between purchase decisions and delivery of information system components.
The organization requires that the information system meets the organization-defined level of trustworthiness.
The organization determines the organization-defined list of critical information system components that require re-implementation.
The organization re-implements organization-defined critical information system components.
The organization identifies information system components for which alternative sourcing is not viable.
The organization defines measures to be employed to prevent critical security controls for information system components from being compromised.
The organization employs organization-defined measures to ensure critical security controls for the information system components are not compromised.
The organization develops an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization disseminates to organization-defined personnel or roles an identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The information system implements multifactor authentication for network access to privileged accounts.
The information system implements multifactor authentication for local access to privileged accounts.
The information system implements multifactor authentication for local access to non-privileged accounts.
The organization allows the use of group authenticators only when used in conjunction with an individual/unique authenticator.
The organization requires individuals to be authenticated with an individual authenticator when a group authenticator is employed.
The information system uses multifactor authentication for network access to privileged accounts where one of the factors is provided by a device separate from the information system being accessed.
The information system uniquely identifies an organization-defined list of specific and/or types of devices before establishing a local, remote, or network connection.
The information system authenticates devices before establishing remote network connections using bidirectional authentication between devices that is cryptographically based.
The information system authenticates devices before establishing wireless network connections using bidirectional authentication between devices that is cryptographically based.
The information system authenticates devices before establishing network connections using bidirectional authentication between devices that is cryptographically based.
The organization standardizes, with regard to dynamic address allocation, Dynamic Host Control Protocol (DHCP) lease information and the time assigned to DHCP-enabled devices.
The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a user identifier.
The organization manages information system identifiers for users and devices by receiving authorization from a designated organizational official to assign a device identifier.
The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies an individual.
The organization manages information system identifiers for users and devices by selecting an identifier that uniquely identifies a device.
The organization manages information system identifiers by disabling the identifier after an organization-defined time period of inactivity.
The organization prohibits the use of information system account identifiers that are the same as public identifiers for individual electronic mail accounts.
The organization requires that registration to receive a user ID and password include authorization by a supervisor.
The organization requires that registration to receive a user ID and password be done in person before a designated registration authority.
The organization requires multiple forms of certification of individual identification, such as documentary evidence or a combination of documents and biometrics, be presented to the registration authority.
The organization manages individual identifiers by uniquely identifying each individual by organization-defined characteristics identifying individual status.
The information system dynamically manages identifiers, attributes, and associated access authorizations.
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
The organization develops and documents an incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization disseminates an incident response policy to organization-defined personnel or roles.
The organization employs automated mechanisms to provide a more thorough and realistic incident response training environment.
The organization tests the incident response capability for the information system on an organization-defined frequency using organization-defined tests to determine the incident response effectiveness.
The organization employs automated mechanisms to more thoroughly and effectively test the incident response capability.
The organization implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
The organization coordinates incident handling activities with contingency planning activities.
The organization defines and identifies actions to take in response to organization-defined classes of incidents to ensure continuation of organizational missions and business functions.
The organization correlates incident information and individual incident responses to achieve an organization-wide perspective on incident awareness and response.
The organization employs automated mechanisms to assist in the tracking of security incidents.
The organization defines a time period for personnel to report suspected security incidents to the organizational incident response capability.
The organization requires personnel to report suspected security incidents to the organizational incident response capability within the organization-defined time period.
The organization reports security incident information to organization-defined authorities.
The organization employs automated mechanisms to assist in the reporting of security incidents.
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom copies of the incident response plan are distributed.
The organization distributes copies of the incident response plan to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
The organization defines the frequency for reviewing the incident response plan.
The organization reviews the incident response plan on an organization-defined frequency.
The organization communicates incident response plan changes to organization-defined incident response personnel (identified by name and/or by role) and organizational elements.
The organization defines the frequency with which to review and update the current system maintenance policy.
The organization develops and documents a system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements.
The organization approves and monitors all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location.
The organization sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs.
The organization maintains maintenance records for the information system that include the date and time of maintenance, the name of the individual performing the maintenance, the name of escort, if necessary, a description of the maintenance performed, and a list of equipment removed or replaced (including identification numbers, if applicable).
The organization employs automated mechanisms to schedule, conduct, and document maintenance and repairs as required.
The organization allows the use of nonlocal maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system.
The organization employs strong authenticators in the establishment of nonlocal maintenance and diagnostic sessions.
The organization maintains records for nonlocal maintenance and diagnostic activities.
The organization terminates sessions and network connections when nonlocal maintenance is completed.
The organization employs cryptographic mechanisms to protect the integrity and confidentiality of non-local maintenance and diagnostic communications.
The organization employs remote disconnect verification at the termination of non-local maintenance and diagnostic sessions.
The organization maintains a list of authorized maintenance organizations or personnel.
The organization ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance.
The organization implements procedures for the use of maintenance personnel that lack appropriate security clearances or are not U.S. citizens.
The organization requires maintenance personnel who do not have needed access authorizations, clearances, or formal access approvals to be escorted and supervised during the performance of maintenance and diagnostic activities on the information system by approved organizational personnel who are fully cleared, have appropriate access authorizations, and are technically qualified.
The organization ensures that approvals, consents, and detailed operational conditions regarding the use of foreign nationals to conduct maintenance and diagnostic activities on classified information systems are fully documented within Memoranda of Agreements.
The organization defines a list of security-critical information system components and/or key information technology components for which it will obtain maintenance support and/or spare parts.
The organization defines a time period for obtaining maintenance support and/or spare parts for security-critical information system components and/or key information technology components.
The organization develops and documents procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls.
The organization disseminates physical and environmental protection procedures to organization-defined personnel or roles.
The organization defines the frequency with which to review and update the physical and environmental protection procedures.
The organization reviews the access list detailing authorized facility access by individuals in accordance with organization-defined frequency.
The organization defines the frequency with which to review the access list detailing authorized facility access by individuals.
The organization authorizes physical access to the facility where the information system resides based on position or role.
The organization inventories organization-defined physical access devices on an organization-defined frequency.
The organization defines the frequency for conducting inventories of organization-defined physical access devices.
The organization changes combinations and keys in accordance with organization-defined frequency and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.
The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility where the information system resides at organization-defined physical spaces containing one or more components of the information system.
The organization performs security checks in accordance with organization-defined frequency at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
The organization employs guards and/or alarms to monitor every physical access point to the facility where the information system resides 24 hours per day, 7 days per week.
The organization uses lockable physical casings to protect organization-defined information system components from unauthorized physical access.
The organization defines information system components to be protected from unauthorized physical access using lockable physical casings.
The organization employs organization-defined security safeguards to deter and/or prevent physical tampering or alteration of organization-defined hardware components within the information system.
The organization monitors physical access to the information system to detect and respond to physical security incidents.
The organization coordinates results of reviews and investigations with the organization^s incident response capability.
The organization monitors physical intrusion alarms and surveillance equipment.
The organization employs automated mechanisms to recognize potential intrusions and initiate designated response actions.
The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.
The organization defines critical information system components that require automatic voltage controls.
The organization provides the capability of shutting off power to the information system or individual system components in emergency situations.
The organization places emergency shutoff switches or devices in an organization-defined location by information system or system component to facilitate safe and easy access for personnel.
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability in the event of an extended loss of the primary power source.
The organization provides a long-term alternate power supply for the information system that is self-contained and not reliant on external power generation.
The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
The organization ensures that the facility undergoes, on an organization-defined frequency, fire marshal inspections and promptly resolves identified deficiencies.
The organization defines acceptable temperature and humidity levels to be maintained within the facility where the information system resides.
The organization monitors temperature and humidity levels in accordance with organization-defined frequency.
The organization defines a frequency for monitoring temperature and humidity levels.
The organization employs automatic temperature and humidity controls in the facility to prevent fluctuations potentially harmful to the information system.
The organization employs organization-defined security controls at alternate work sites.
The organization defines management, operational, and technical information system security controls to be employed at alternate work sites.
The organization assesses as feasible, the effectiveness of security controls at alternate work sites.
The organization positions information system components within the facility to minimize potential damage from environmental hazards.
The organization defines a frequency for reviewing and updating the current media protection policy.
The organization develops and documents procedures to facilitate the implementation of the media protection policy and associated media protection controls.
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the media protection policy and associated media protection controls.
The organization defines types of information system media to exempt from marking as long as the media remain within organization-defined controlled areas.
The organization defines controlled areas where organization-defined types of information system media are exempt from being marked.
The organization employs an identified custodian during transport of information system media outside of controlled areas.
The organization tests sanitization equipment and procedures in accordance with the organization-defined frequency to verify that the intended sanitization is being achieved.
The organization reviews and updates the current risk assessment policy in accordance with organization-defined frequency.
The organization defines the frequency with which to review and update the current risk assessment policy.
The organization develops and documents procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls.
The organization disseminates risk assessment procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls to organization-defined personnel or roles.
The organization reviews and updates the current risk assessment procedures in accordance with organization-defined frequency.
The organization defines the frequency with which to review and update the current risk assessment procedures.
The organization scans for vulnerabilities in the information system and hosted applications on an organization-defined frequency.
The organization scans for vulnerabilities in the information system and hosted applications when new vulnerabilities potentially affecting the system/applications are identified and reported.
The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: enumerating platforms, software flaws, and improper configurations; formatting checklists and test procedures; and measuring vulnerability impact.
The organization defines response times for remediating legitimate vulnerabilities in accordance with an organization assessment of risk.
The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
The organization employs automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization-defined frequency.
The organization employs an independent penetration agent or penetration team to conduct a vulnerability analysis on the information system.
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.
The organization develops a system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The information system prevents the presentation of information system management-related functionality at an interface for non-privileged users.
The information system isolates security functions from nonsecurity functions.
The information system utilizes underlying hardware separation mechanisms to implement security function isolation.
The information system isolates security functions enforcing access and information flow control from both nonsecurity functions and from other security functions.
The organization implements an information system isolation boundary to minimize the number of nonsecurity functions included within the boundary containing security functions.
The information system prevents unauthorized and unintended information transfer via shared system resources.
The information system does not share resources that are used to interface with systems operating at different security levels.
The organization physically allocates publicly accessible information system components to separate subnetworks with separate physical network interfaces.
The organization defines a frequency for the review of exceptions to the traffic flow policy for each external telecommunication service.
The organization prevents the unauthorized release of information outside of the information system boundary or any unauthorized communication through the information system boundary when there is an operational failure of the boundary protection mechanisms.
The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.
The organization isolates organization-defined information security tools, mechanisms, and support components from other internal information system components by implementing physically separate subnetworks with managed interfaces to other components of the system.
The organization defines key information security tools, mechanisms, and support components to be isolated.
The organization protects against unauthorized physical connections at organization-defined managed interfaces.
The organization defines the managed interfaces where boundary protections against unauthorized physical connections are to be implemented.
The information system prevents discovery of specific system components composing a managed interface.
The information system establishes a trusted communications path between the user and organization-defined security functions within the information system.
The organization defines security functions include information system authentication and reauthentication.
The organization establishes cryptographic keys for required cryptography employed within the information system.
The organization produces, controls, and distributes symmetric cryptographic keys using NIST-approved or NSA-approved key management technology and processes.
The organization produces, controls, and distributes symmetric and asymmetric cryptographic keys using NSA-approved key management technology and processes.
The information system protects the integrity and availability of publicly available information and applications.
The information system prohibits remote activation of collaborative computing devices, excluding the organization-defined exceptions where remote activation is to be allowed.
The organization defines exceptions to the prohibition of collaborative computing devices where remote activation is to be allowed.
The information system provides an explicit indication of use to users physically present at collaborative computing devices.
The information system provides physical disconnect of collaborative computing devices in a manner that supports ease of use.
The information system or supporting environment blocks both inbound and outbound traffic between instant messaging clients that are independently configured by end users and external service providers.
The organization disables or removes collaborative computing devices from organization-defined information systems or information system components in organization-defined secure work areas.
The organization monitors the use of mobile code within the information system.
The organization controls the use of mobile code within the information system.
The information system identifies organization-defined unacceptable mobile code.
The organization ensures the development of mobile code to be deployed in information systems meets organization-defined mobile code requirements.
The organization defines requirements for the acquisition, development, and use of mobile code.
The information system prevents the automatic execution of mobile code in organization-defined software applications.
The organization defines software applications in which automatic mobile code execution is to be prohibited.
The organization defines actions to be enforced by the information system before executing mobile code.
The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child zones.
The information system performs data origin authentication and data integrity verification on all resolution responses received whether or not local client systems explicitly request this service.
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant.
The information systems that collectively provide name/address resolution service for an organization implement internal/external role separation.
The information system invalidates session identifiers upon user logout or other session termination.
The organization defines system state information that should be preserved in the event of a system failure.
The information system employs organization-defined information system components with minimal functionality and information storage.
The information system includes components specifically designed to be the target of malicious attacks for the purpose of detecting, deflecting, and analyzing such attacks.
The information system includes components that proactively seek to identify malicious websites and/or web-based malicious code.
The information system includes organization-defined platform-independent applications.
The organization employs a diverse set of information technologies for organization-defined information system components in the implementation of the information system.
The organization employs virtualization techniques to support the deployment of a diversity of operating systems that are changed on an organization-defined frequency.
The organization defines the frequency of changes to operating systems and applications to support a diversity of deployments.
The organization employs randomness in the implementation of the virtualization techniques.
The organization employs organization-defined information system components with no writeable storage that are persistent across component restart or power on/off.
The organization defines the information system components to be employed with no writeable storage.
The organization protects the integrity of information prior to storage on read-only media.
The organization develops and documents a system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization disseminates the system and information integrity policy to organization-defined personnel or roles.
The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.
The organization disseminates to organization-defined personnel or roles procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls.
The organization reviews and updates system and information integrity procedures in accordance with organization-defined frequency.
The organization tests software updates related to flaw remediation for effectiveness before installation.
The organization tests software updates related to flaw remediation for potential side effects before installation.
The organization incorporates flaw remediation into the organizational configuration management process.
The organization employs automated mechanisms on an organization-defined frequency to determine the state of information system components with regard to flaw remediation.
The organization defines a frequency for employing automated mechanisms to determine the state of information system components with regard to flaw remediation.
The organization measures the time between flaw identification and flaw remediation.
The organization addresses the receipt of false positives during malicious code detection and eradication, and the resulting potential impact on the availability of the information system.
The information system automatically updates malicious code protection mechanisms.
The information system prevents non-privileged users from circumventing malicious code protection capabilities.
The organization does not allow users to introduce removable media into the information system.
The organization tests malicious code protection mechanisms on an organization-defined frequency by introducing a known benign, non-spreading test case into the information system.
The organization deploys monitoring devices at ad hoc locations within the system to track specific types of transactions of interest to the organization.
The organization heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
The organization obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
The organization interconnects and configures individual intrusion detection tools into a systemwide intrusion detection system using common protocols.
The organization employs automated tools to support near real-time analysis of events.
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.
The information system provides near real-time alerts when any of the organization-defined list of compromise or potential compromise indicators occurs.
The organization defines indicators of compromise or potential compromise to the security of the information system which will result in information system alerts being provided to organization-defined personnel or roles.
The organization defines the activities which will trigger alerts to security personnel of inappropriate or unusual activities.
The organization analyzes communications traffic/event patterns for the information system.
The organization develops profiles representing common traffic patterns and/or events.
The organization uses the traffic/event profiles in tuning system monitoring devices to reduce the number of false positives to an organization-defined measure of false positives and the number of false negatives to an organization-defined measure of false negatives.
The organization defines the respective measurements to which the organization must tune system monitoring devices to reduce the number of false negatives.
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
The organization defines the personnel or roles to whom the organization will disseminate security alerts, advisories, and directives.
The organization implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
The organization employs automated mechanisms to make security alert and advisory information available throughout the organization.
The information system verifies the correct operation of security functions in accordance with organization-defined conditions and in accordance with organization-defined frequency (if periodic verification).
The organization defines the appropriate conditions, including the system transitional states if applicable, for verifying the correct operation of security functions.
The organization defines the information system responses and alternative action(s) to anomalies discovered during security function verification.
The information system notifies organization-defined personnel or roles of failed security verification tests.
The organization employs automated tools that provide notification to organization-defined personnel or roles upon discovering discrepancies during integrity verification.
The organization requires use of tamper-evident packaging for organization-defined information system components during organization-defined conditions.
The organization defines information system components that require tamper-evident packaging.
The organization restricts the capability to input information to the information system to authorized personnel.
The information system identifies potentially security-relevant error conditions.
The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
The organization defines sensitive or potentially harmful information that should not be contained in error logs and administrative messages.
The information system reveals error messages only to organization-defined personnel or roles.
The organization handles information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
The organization protects the information system from harm by considering mean time to failure rates for an organization-defined list of information system components in specific environments of operation.
The organization defines the minimum frequency at which the organization manually initiates a transfer between active and standby information system components if the mean time to failure (MTTF) exceeds the organization-defined time period.
The organization defines a time period that the mean time to failure (MTTF) must exceed before the organization manually initiates a transfer between active and standby information system components.
The organization, if information system component failures are detected, ensures standby components are successfully and transparently installed within an organization-defined time period.
The organization defines a time period for a standby information system component to be successfully and transparently installed for the information system component that has failed.
The organization, if an information system component failure is detected, activates an organization-defined alarm and/or automatically shuts down the information system.
The organization prohibits the use of unclassified mobile devices in facilities containing information systems processing, storing, or transmitting classified information unless specifically permitted by the authorizing official.
The organization prohibits connection of unclassified mobile devices to classified information systems.
The organization requires approval from the authorizing official for the connection of unclassified mobile devices to unclassified information systems.
The information system associates the identity of the information producer with the information.
The information system validates the binding of the information producer's identity to the information.
The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.
The information system validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between organization-defined security domains.
The organization employs either FIPS-validated or NSA-approved cryptography to implement digital signatures.
The information system invokes a system shutdown in the event of an audit failure, unless an alternative audit capability exists.
The organization specifies the permitted actions for each authorized information system process, role, and/or user in the audit and accountability policy.
The organization employs automated mechanisms to alert security personnel of any organization-defined inappropriate or unusual activities with security implications.
The organization defines a list of inappropriate or unusual activities with security implications that are to result in alerts to security personnel.
The organization manages information system accounts by deactivating temporary accounts that are no longer required.
The organization manages information system accounts by deactivating accounts of terminated or transferred users.
The organization reports atypical usage to designated organizational officials.
The organization establishes privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
The organization defines user information to be encrypted or stored off-line in a secure location.
The organization defines system information to be encrypted or stored off-line in a secure location.
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
The organization defines information security policy filters requiring fully enumerated formats which are to be implemented when transferring information between different security domains.
The information system, when transferring information between different security domains, implements organization-defined security policy filters requiring fully enumerated formats that restrict data structure and content.
The information system, when transferring information between different security domains, examines the information for the presence of organization-defined unsanctioned information.
The information system, when transferring information between different security domains, prohibits the transfer of organization-defined unsanctioned information in accordance with the organization-defined security policy.
The information system, for publicly accessible systems, displays system use information organization-defined conditions before granting further access.
The information system, for publicly accessible systems, displays references, if any, to monitoring that are consistent with privacy accommodations for such systems that generally prohibit those activities.
The information system, for publicly accessible systems, displays references, if any, to recording that are consistent with privacy accommodations for such systems that generally prohibit those activities.
The information system, for publicly accessible systems, displays references, if any, to auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities.
The information system, for publicly accessible systems, includes a description of the authorized uses of the system.
The organization defines the time period that the information system notifies the user of the number of unsuccessful logon/access attempts.
The information system notifies the user of the number of successful logins/accesses that occur during the organization-defined time period.
The information system notifies the user of the number of unsuccessful login/access attempts that occur during organization-defined time period.
The organization defines security attributes for which the information system supports and maintains the bindings for information in process.
The organization defines security attributes for which the information system supports and maintains the bindings for information in transmission.
The information system supports and maintains the binding of organization-defined security attributes to information in storage.
The organization defines a time period of expected inactivity when users are required to log out.
The organization administers privileged user accounts in accordance with a role-based access scheme that organizes allowed information system access and privileges into roles.
The organization defines privileged commands for which dual authorization is to be enforced.
The organization defines nondiscretionary access control policies to be enforced over the organization-defined set of users and resources, where the rule set for each policy specifies access control information employed by the policy rule set (e.g., position, nationality, age, project, time of day) and required relationships among the access control information to permit access.
The organization defines the set of users and resources over which the information system is to enforce nondiscretionary access control policies.
The organization defines security-relevant information to which the information system prevents access except during secure, non-operable system states.
The organization encrypts or stores off-line, in a secure location, organization-defined user information.
The organization encrypts or stores off-line, in a secure location, organization-defined system information.
The organization defines the security functions or security-relevant information to which users of information system accounts, or roles, have access.
The organization defines the privileged commands to which network access is to be authorized only for organization-defined compelling operational needs.
The organization limits authorization to super user accounts on the information system to designated system administration personnel.
The organization prohibits privileged access to the information system by non-organizational users.
The organization defines the time period in which the organization-defined maximum number of consecutive invalid logon attempts occur.
The organization identifies special dissemination, handling, or distribution instructions for identifying security attributes on output.
The organization defines additional security measures to be employed when an organization-defined list of security functions and security-relevant information is accessed remotely.
The organization defines networking protocols within the information system deemed to be nonsecure.
The organization disables organization-defined networking protocols within the information system deemed to be nonsecure except for explicitly identified components in support of specific operational requirements.
The organization documents the rationale for the execution of privileged commands and access to security-relevant information in the security plan for the information system.
The organization monitors for unauthorized wireless access to the information system.
The organization authorizes wireless access to the information system prior to allowing such connections.
The organization enforces requirements for wireless connections to the information system.
The organization defines a frequency of monitoring for unauthorized wireless connections to information system, including scans for unauthorized wireless access points.
The organization takes appropriate action if an unauthorized wireless connection is discovered.
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
The organization does not allow users to independently configure wireless networking capabilities.
The organization selects radio antennas and calibrates transmission power levels to reduce the probability that usable signals can be received outside of organization-controlled boundaries.
The information system enforces the organization-defined time period during which the limit of consecutive invalid access attempts by a user is counted.
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
The organization ensures that remote sessions for accessing an organization-defined list of security functions and security-relevant information are audited.
The organization explicitly identifies components needed in support of specific operational requirements.
The information system provides the capability for authorized users to capture/record and log content related to a user session.
The information system provides the capability to remotely view/hear all content related to an established user session in real time.
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to store organization-controlled information using the external information systems.
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to transmit organization-controlled information using the external information systems.
The organization prohibits authorized individuals from using an external information system to process organization-controlled information except in situations where the organization can verify the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.
The organization reviews the content on the publicly accessible information system for nonpublic information on an organization-defined frequency.
The organization defines a frequency for reviewing the content on the publicly accessible information system for nonpublic information.
The organization removes nonpublic information from the publicly accessible information system, if discovered.
The organization provides refresher security awareness training to all information system users (including managers, senior executives, and contractors) in accordance with the organization-defined frequency.
The organization defines the frequency for providing refresher security awareness training to all information system users (including managers, senior executives, and contractors).
The organization provides organization-defined personnel or roles with initial training in the employment and operation of environmental controls.
The organization provides organization-defined personnel or roles with refresher training in the employment and operation of environmental controls in accordance with the organization-defined frequency.
The organization defines a frequency for providing employees with refresher training in the employment and operation of environmental controls.
The organization defines frequency of (or situation requiring) auditing for each identified event.
The organization defines information system components for which generated audit records are centrally managed by the organization.
The information system implements cryptographic mechanisms to protect the integrity of audit tools.
The organization defines a frequency for the reviews and updates to the baseline configuration of the information system.
The organization defines a time period after which proposed changes to the information system that have not been approved or disapproved are highlighted.
The information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.
The organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately.
The organization monitors changes to the configuration settings in accordance with organizational policies and procedures.
The organization controls changes to the configuration settings in accordance with organizational policies and procedures.
The organization reviews and updates position risk designations in accordance with organization-defined frequency.
The organization defines the frequency with which to review and update position risk designations.
The organization screens individuals prior to authorizing access to the information system.
The organization rescreens individuals with authorized access to the information system according to organization-defined conditions requiring rescreening, and where rescreening is so indicated, on the organization-defined frequency of such rescreening.
The organization defines the conditions requiring rescreening of individuals with authorized access to the information system.
The organization defines the frequency for rescreening individuals with authorized access to the information system when organization-defined conditions requiring rescreening are met.
The organization ensures that individuals accessing an information system processing, storing, or transmitting classified information are cleared and indoctrinated to the highest classification level of the information to which they have access on the system.
The organization ensures that individuals accessing an information system processing, storing, or transmitting types of classified information which require formal indoctrination, are formally indoctrinated for all of the relevant types of information to which they have access on the system.
The organization, upon termination of individual employment, disables information system access within an organization-defined time period.
The organization, upon termination of individual employment, conducts exit interviews that include a discussion of organization-defined information security topics.
The organization defines transfer or reassignment actions to initiate within an organization-defined time period following the formal personnel transfer action.
The organization defines the time period within which the organization initiates organization-defined transfer or reassignment actions following the formal personnel transfer action.
The organization ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access.
The organization reviews and updates access agreements for organizational information systems in accordance with organization-defined frequency.
The organization defines the frequency with which to review and update access agreements for organizational information systems.
The organization establishes personnel security requirements including security roles and responsibilities for third-party providers.
The organization disseminates the most recent information security program plan to appropriate entities in the organization that includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization manages information system authenticators by ensuring that authenticators have sufficient strength of mechanism for their intended use.
The organization defines a frequency for reviewing and updating the access control policy.
The organization defines a frequency for reviewing and updating the access control procedures.
The organization defines the frequency on which it will review information system accounts for compliance with account management requirements.
The organization defines the information flow control policies for controlling the flow of information within the system.
The information system tracks problems associated with the information transfer.
The organization identifies the individuals authorized to change the value of associated security attributes.
The organization identifies individuals (or processes acting on behalf of individuals) authorized to associate organization-defined security attributes with organization-defined objects.
The organization defines managed access control points for remote access to the information system.
The organization defines the appropriate action(s) to be taken if an unauthorized remote connection is discovered.
The organization defines the appropriate action(s) to be taken if an unauthorized wireless connection is discovered.
The organization defines the frequency of security awareness and training policy reviews and updates.
The organization defines the frequency of security awareness and training procedure reviews and updates.
The organization defines whether to reject or delay network traffic that exceeds organization-defined thresholds.
The information system rejects or delays, as defined by the organization, network traffic which exceed the organization-defined thresholds.
The organization defines the system or system component for storing audit records that is a different system or system component than the system or component being audited.
The information system produces a system-wide (logical or physical) audit trail of information system audit records.
The organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
The organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements.
The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure they are tracked.
The organization develops a list of software programs not authorized to execute on the information system.
The organization defines the rules authorizing the terms and conditions of software program usage on the information system.
The organization maintains a list of software programs authorized to execute on the information system.
The organization maintains a list of software programs not authorized to execute on the information system.
The organization outlines explicit mitigation actions for organization-identified potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster.
The organization establishes alternate telecommunications services to support the information system.
The organization identifies the primary provider's telecommunications service hazards.
The organization can activate the redundant secondary information system that is not collocated with the primary system without loss of information or disruption to operations.
The organization defines the time period (by authenticator type) for changing/refreshing authenticators.
The organization defines the minimum number of special characters for password complexity enforcement.
The organization defines the minimum number of upper case characters for password complexity enforcement.
The organization defines the minimum number of lower case characters for password complexity enforcement.
The incident response training material addresses the procedures and activities necessary to fulfill identified organizational incident response roles and responsibilities.
The organization implements the resulting incident handling activity changes to incident response procedures, training, and testing/exercises accordingly.
The organization employs automated mechanisms to assist in the collection of security incident information.
The organization employs automated mechanisms to assist in the analysis of security incident information.
The organization defines a frequency with which to review and update the current system maintenance procedures.
The organization reviews and updates the current security planning policy in accordance with organization-defined frequency.
The organization defines the frequency with which to review and update the current security planning procedures.
The organization makes readily available to individuals requiring access to the information system the rules that describe their responsibilities and expected behavior with regard to information and information system usage.
The organization defines the process for conducting random vulnerability scans on the information system and hosted applications.
The organization defines the organizational document in which risk assessment results are documented (e.g., security plan, risk assessment report).
The organization scans for vulnerabilities in the information system and hosted applications in accordance with the organization-defined process for random scans.
The organization requires the information system developers to manage and control changes to the information system during modification.
The organization requires the information system integrators to manage and control changes to the information system during modification.
The organization defines the security functions of the information system to be isolated from nonsecurity functions.
The organization compares the time measured between flaw identification and flaw remediation with organization-defined benchmarks.
The organization employs malicious code protection mechanisms at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means or inserted through the exploitation of information system vulnerabilities.
The organization defines the frequency of testing malicious code protection mechanisms.
The organization analyzes outbound communications traffic at selected organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies.
The organization employs a wireless intrusion detection system to identify rogue wireless devices.
The information system notifies organization-defined personnel or roles for account modification actions.
The information system notifies organization-defined personnel or roles for account disabling actions.
The information system notifies organization-defined personnel or roles for account removal actions.
The organization establishes organization-defined restrictions on the use of open source software.
The organization defines the previous versions of the baseline configuration of the information system required to support rollback.
The organization defines the information systems, system components, or devices that are to have organization-defined configurations applied when located in areas of significant risk.
The organization defines the security configurations to be implemented on information systems, system components, or devices when they are located in areas of significant risk.
The organization defines critical firmware components the information system will prevent from being installed without verification the component has been digitally signed using a certificate that is recognized and approved by the organization.
The information system prevents the installation of organization-defined software components without verification the software component has been digitally signed using a certificate that is recognized and approved by the organization.
The organization enforces dual authorization for changes to organization-defined system-level information.
The organization limits privileges to change information system components within a production or operational environment.
The organization defines the software programs not authorized to execute on the information system.
The organization identifies the organization-defined software programs not authorized to execute on the information system.
The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system.
The organization updates the list of authorized software programs per organization-defined frequency.
The organization updates the information system component inventory per organization-defined frequency.
The organization defines the security safeguards to be applied to devices when they return from areas of significant risk.
The organization defines the frequency with which to reevaluate information system privileges.
The organization reviews information system privileges per an organization-defined frequency.
The organization disseminates the audit and accountability policy to organization-defined personnel or roles.
The organization documents procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls.
The organization defines the network communication traffic volume thresholds reflecting limits on auditing capacity, specifying when the information system will reject or delay network traffic that exceed those thresholds.
The organization defines the personnel or roles to receive the reports of organization-defined inappropriate or unusual activity.
The information system provides an audit reduction capability that supports on-demand reporting requirements.
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
The organization manages information system authenticators by changing authenticators for group/role accounts when membership to those accounts changes.
The organization coordinates with organization-defined external organizations for cross-organization management of credentials.
The organization defines the time period after which the use of cached authenticators is prohibited.
The information system prohibits the use of cached authenticators after an organization-defined time period.
The organization, for PKI-based authentication, employs a deliberate organization-wide methodology for managing the content of PKI trust stores installed across all platforms including networks, operating systems, browsers, and applications.
The information system accepts Personal Identity Verification (PIV) credentials from other federal agencies.
The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies.
The organization defines the information systems which will employ only FICAM-approved information system components.
The organization defines the security safeguards to be used when identifying information system services.
The organization identifies organization-defined information system services using organization-defined security safeguards.
The organization ensures that service providers receive identification information.
The organization ensures that service providers validate identification information.
The organization ensures that service providers transmit identification information.
The organization ensures that service providers receive authentication information.
The organization ensures that service providers transmit authentication information.
The organization defines the services between which authentication decisions are to be transmitted.
The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations.
The organization defines the circumstances or situations under which users will be required to reauthenticate.
The organization defines the circumstances or situations under which devices will be required to reauthenticate.
The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
The organization requires devices to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
The organization requires that the registration process to receive an individual identifier includes supervisor authorization.
The organization defines the personnel or roles to whom the security awareness and training policy is disseminated.
The organization defines the personnel or roles to whom the security awareness and training procedures are disseminated.
The organization defines the personnel or roles to whom initial and refresher training in the employment and operation of physical security controls is to be provided.
The organization includes practical exercises in security training that reinforce training objectives.
The organization provides training to its personnel on organization-defined indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
The organization defines indicators of malicious code to recognize suspicious communications and anomalous behavior in organizational information systems.
The organization defines the frequency at which to conduct security control assessments.
The organization accepts the results of an assessment of the organization-defined information system performed by an organization-defined external organization when the assessment meets organization-defined requirements.
The organization defines the information systems for which they will accept the results of an assessment performed by an external organization.
The organization defines the external organizations from which assessment results for organization-defined information systems will be accepted.
The organization defines the requirements the assessments for organization-defined information systems from organization-defined external organizations must meet.
The organization^s security assessment plan describes the assessment team, and assessment roles and responsibilities.
The organization defines the individuals or roles to whom the results of the security control assessment are to be provided.
The organization defines the unclassified, national security systems that are prohibited from directly connecting to an external network without the use of an organization-defined boundary protection device.
The organization defines the boundary protection device to be used to connect organization-defined unclassified, national security systems to an external network.
The organization defines the boundary protection device to be used for the direct connection of classified, national security system to an external network.
The organization defines the information system that is prohibited from directly connecting to a public network.
The organization defines the information systems that employ either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing connections to external information systems.
The organization selects either an allow-all, deny-by-exception or a deny-all, permit-by-exception policy for allowing organization-defined information systems to connect to external information systems.
The organization reviews and updates Interconnection Security Agreements on an organization-defined frequency.
The organization defines the frequency at which reviews and updates to the Interconnection Security Agreements must be conducted.
The organization defines the frequency for conducting penetration testing on organization-defined information systems or system components.
The organization defines the information systems or system components on which penetration testing will be conducted.
The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.
The organization defines red team exercises to simulate attempts by adversaries to compromise organizational information systems.
The organization defines rules of engagement for red team exercises to simulate attempts by adversaries to compromise organizational information systems.
The organization defines the information system components or classes of components that are authorized internal connections to the information system.
The organization documents, for each internal connection, the interface characteristics.
The organization documents, for each internal connection, the security requirements.
The organization documents, for each internal connection, the nature of the information communicated.
The organization defines the personnel or roles to be recipients of the access control policy necessary to facilitate the implementation of the access control policy and associated access controls.
The organization specifies authorized users of the information system for each account.
The organization specifies authorized group membership on the information system.
The organization specifies authorized role membership on the information system.
The organization specifies access authorizations (i.e., privileges) for each account on the information system.
The organization defines the personnel or roles authorized to approve the creation of information system accounts.
The organization defines the procedures or conditions to be employed when creating, enabling, modifying, disabling, and removing information system accounts.
The organization authorizes access to the information system based on intended system usage.
The organization authorizes access to the information system based on other attributes as required by the organization or associated missions/business functions.
The organization establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
The organization defines the personnel or roles to be notified on account creation, modification, enabling, disabling, and removal actions.
The information system notifies organization-defined personnel or roles for account enabling actions.
The organization defines a list of dynamic privilege management capabilities to be implemented by the information system.
The information system implements the organization-defined list of dynamic privilege management capabilities.
The organization defines the conditions for establishing shared/group accounts.
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
The organization defines atypical usage for which the information system accounts are to be monitored.
The organization monitors information system accounts for organization-defined atypical use.
The organization defines the personnel or roles to whom atypical usage of information system accounts are to be reported.
The organization reports atypical usage of information system accounts to organization-defined personnel or roles.
The organization defines the time period within which the accounts of users posing a significant risk are to be disabled after discovery of the risk.
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the security attributes to be associated with newly created or modified objects.
The mandatory access control policy specifies that a subject that has been granted access to information is constrained from choosing the attribute values to be associated with newly created or modified objects.
The organization defines the privileges that may explicitly be granted to organization-defined subjects such that they are not limited by some or all of the mandatory access control constraints.
The organization defines the discretionary access control policies the information system is to enforce over subjects and objects.
The organization specifies in the discretionary access control policies that a subject that has been granted access to information can do one or more of the following: pass the information to any other subjects or objects; grant its privileges to other subjects; change security attributes on subjects, objects, the information system, or the information system^s components; choose the security attributes to be associated with newly created or revised objects; and/or change the rules governing access control.
The information system controls access based upon organization-defined roles authorized to assume such roles, employing the organization-defined role-based access control policy.
The information system controls access based upon organization-defined users authorized to assume such roles, employing the organization-defined role-based access control policy.
The organization defines the rules which will govern the timing of revocation of access authorizations.
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of subjects based on organization-defined rules governing the timing of revocations of access authorizations.
The information system enforces the revocation of access authorizations resulting from changes to the security attributes of objects based on organization-defined rules governing the timing of revocations of access authorizations.
The organization defines the security safeguards the organization-defined information system or system component is to provide to protect information released outside the established system boundary.
The organization defines information systems or system components that are to provide organization-defined security safeguards to protect information received outside the established system boundary.
The information system does not release information outside of the established system boundary unless the receiving organization-defined information system or system component provides organization-defined security safeguards.
The organization defines the security safeguards to be used to validate the appropriateness of the information designated for release.
The information system does not release information outside of the established system boundary unless organization-defined security safeguards are used to validate the appropriateness of the information designated for release.
The organization defines the information flow control policies to be enforced for flow control decisions.
The organization defines the policies the information system is to enforce to achieve dynamic information flow control.
The organization defines procedures or methods to be employed by the information system to prevent encrypted information from bypassing content-checking mechanisms, such as decrypting the information, blocking the flow of the encrypted information, and/or terminating communications sessions attempting to pass encrypted information.
The organization defines the metadata the information system uses to enforce information flow control.
The organization defines the data type identifiers to be used to validate data being transferred between different security domains.
The information system, when transferring information between different security domains, uses organization-defined data type identifiers to validate data essential for information flow decisions.
The organization defines the policy-relevant subcomponents into which information being transferred between different security domains is to be decomposed for submission to policy enforcement mechanisms.
The organization defines the unsanctioned information the information system is to examine when transferring information between different security domains.
The organization defines the techniques to be used to bind security attributes to information.
The organization defines the solutions in approved configurations to be employed to control the flow of organization-defined information across security domains.
The organization defines the information to be subjected to flow control across security domains.
The organization employs organization-defined solutions in approved configurations to control the flow of organization-defined information across security domains.
The information system provides separate processing domains to enable finer-grained allocation of user privileges.
The organization defines the personnel or roles to whom privileged accounts are to be restricted on the information system.
The organization restricts privileged accounts on the information system to organization-defined personnel or roles.
The organization defines the frequency on which it conducts reviews of the privileges assigned to organization-defined roles or classes of users.
The organization reviews the privileges assigned to organization-defined roles or classes of users on an organization-defined frequency to validate the need for such privileges.
The organization reassigns or removes privileges, if necessary, to correctly reflect organizational mission/business needs.
The organization defines the mobile devices that are to be purged/wiped by the information system after an organization-defined number of consecutive, unsuccessful device logon attempts.
The information system purges/wipes information from organization-defined mobile devices based on organization-defined purging/wiping requirements/techniques after an organization-defined number of consecutive, unsuccessful device logon attempts.
The organization-defined information system use notification message or banner is to state that users are accessing a U.S. Government information system.
The organization-defined information system use notification message or banner is to state that information system usage may be monitored, recorded, and subject to audit.
The organization-defined information system use notification message or banner is to state that unauthorized use of the information system is prohibited and subject to criminal and civil penalties.
The organization defines the user actions that can be performed on the information system without identification and authentication.
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in storage.
The organization defines security attributes having organization-defined types of security attribute values which are associated with information in process.
The organization defines security attributes, having organization-defined types of security attribute values, which are associated with information in transmission.
The organization defines security attribute values associated with organization-defined types of security attributes for information in process.
The organization establishes the permitted organization-defined security attributes for organization-defined information systems.
The organization defines the security policies the information system is to adhere to when dynamically associating security attributes with organization-defined subjects and objects.
The organization defines the subjects with which the information system is to dynamically associate security attributes as information is created and combined.
The organization defines the subjects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
The organization defines the objects with which organization-defined security attributes may be associated by authorized individuals (or processes acting on behalf of individuals).
The organization defines the security attributes authorized individuals (or processes acting on behalf of individuals) are permitted to associate with organization-defined subjects and objects.
The information system supports the association of organization-defined security attributes with organization-defined objects by authorized individuals (or processes acting on behalf of individuals).
The organization provides a consistent interpretation of security attributes transmitted between distributed information system components.
The information system provides authorized individuals the capability to define or change the type of security attributes available for association with subjects.
The information system provides authorized individuals the capability to define or change the value of security attributes available for association with subjects.
The information system provides authorized individuals the capability to define or change the type of security attributes available for association with objects.
The organization establishes and documents usage restrictions for each type of remote access allowed.
The organization establishes and documents configuration/connection requirements for each type of remote access allowed.
The organization establishes and documents implementation guidance for each type of remote access allowed.
The organization documents in the security plan for the information system the rationale for authorization of the execution of privilege commands via remote access.
The organization establishes configuration/connection requirements for wireless access.
The organization identifies and explicitly authorizes users allowed to independently configure wireless networking capabilities.
The organization permits authorized individuals to use an external information system to transmit organization-controlled information only when the organization verifies the implementation of required security controls on the external system as specified in the organization^s information security policy and security plan.
The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization retains approved information system connection or processing agreements with the organizational entity hosting the external information system.
The organization restricts or prohibits the use of non-organizationally owned information systems, system components, or devices to process, store, or transmit organizational information.
The organization prohibits the use of organization-defined network accessible storage devices in external information systems.
The organization defines the information sharing restrictions to be enforced by the information system for information search and retrieval services.
The organization establishes procedures to ensure organization-defined access control decisions are applied to each access request prior to access enforcement.
The information system transmits organization-defined access authorization information using organization-defined security safeguards to organization-defined information systems which enforce access control decisions.
The organization defines the security attributes, not to include the identity of the user or process acting on behalf of the user, to be used as the basis for enforcing access control decisions.
The organization ensures unencrypted static authenticators are not embedded in applications.
The organization defines the personnel or roles to whom the risk assessment policy is disseminated.
The information system prevents unauthorized information transfer via shared resources in accordance with organization-defined procedures when system processing explicitly switches between different information classification levels or security categories.
The information system, in conjunction with a remote device, prevents the device from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks.
The information system detects outgoing communications traffic posing a threat to external information systems.
The information system only allows incoming communications from organization-defined authorized sources routed to organization-defined authorized destinations.
The organization defines the host-based boundary protection mechanisms that are to be implemented at organization-defined information system components.
The information system disables feedback to senders on protocol format validation failure.
The information system protects the confidentiality and/or integrity of transmitted information.
The organization establishes cryptographic keys for required cryptography employed within the information system in accordance with organization-defined requirements for key distribution.
The organization controls asymmetric cryptographic keys using: NSA-approved key management technology and processes; approved PKI Class 3 certificates or prepositioned keying material; or approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the user^s private key.
The organization defines the storage that is to be distributed across multiple physical locations.
The organization defines the operations security safeguards to be employed to protect key organizational information throughout the system development life cycle.
The organization monitors the information system to detect unauthorized local connections.
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) to detect covert exfiltration of information.
The organization analyzes outbound communications traffic at organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information.
The organization defines the host-based monitoring mechanisms to be implemented at organization-defined information system components.
The information system performs verification of the correct operation of organization-defined security functions: when the system is in an organization-defined transitional state; upon command by a user with appropriate privileges; and/or on an organization-defined frequency.
The organization defines the software on which integrity checks will be performed.
The information system implements cryptographic mechanisms to authenticate organization-defined software or firmware components prior to installation.
The organization ensures that input validation errors are reviewed within an organization-defined time period.
The organization defines the frequency at which it will terminate organization-defined non-persistent information system components and services.
The organization implements organization-defined non-persistence information system components and services that are initiated in a known state.
The organization defines the software programs and/or applications from which the information system is to validate the information output to ensure the information is consistent with expected content.
The organization defines the personnel or roles to whom the incident response procedures are disseminated.
The organization provides incident response training to information system users consistent with assigned roles and responsibilities when required by information system changes.
The organization defines the information system components for dynamic reconfiguration as part of the incident response capability.
The organization implements an incident handling capability for insider threats.
The organization coordinates an incident handling capability for insider threats across organization-defined components or elements of the organization.
The organization^s incident response plan provides the organization with a roadmap for implementing its incident response capability.
The organization^s incident response plan describes the structure and organization of the incident response capability.
The organization^s incident response plan defines the resources and management support needed to effectively maintain and mature an incident response capability.
The organization defines personnel or roles to review and approve the incident response plan.
The organization defines incident response personnel (identified by name and/or by role) and organizational elements to whom incident response plan changes will be communicated.
The organization defines personnel or roles to whom responsibility for responding to information spills will be assigned.
The organization provides information spillage response training according to an organization-defined frequency.
The organization employs organization-defined security safeguards for personnel exposed to information not within assigned access authorizations.
The organization identifies critical information system assets supporting essential business functions.
The organization defines a list of key contingency personnel (identified by name and/or by role) and organizational elements to whom contingency plan changes are to be communicated.
The organization protects the contingency plan from unauthorized disclosure and modification.
The organization defines the time period that contingency training is to be provided to information system users consistent with assigned roles and responsibilities within assuming a contingency role or responsibility.
The organization obtains evidence of contingency testing by providers in accordance with organization-defined frequency.
The organization obtains evidence of contingency training by providers in accordance with organization-defined frequency.
The organization defines the frequency with which to test alternate telecommunication services.
The organization stores backup copies of organization-defined critical information system software and other security-related information in a separate facility or in a fire-rated container that is not collocated with the operational system.
The organization defines the backup information that requires dual authorization for deletion or destruction.
The organization employs organization-defined alternative or supplemental security mechanisms for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
The organization defines the alternative or supplemental security mechanisms that will be employed for satisfying organization-defined security functions when the primary means of implementing the security function is unavailable or compromised.
The organization defines the personnel or roles to whom a system maintenance policy is disseminated.
The organization defines the personnel or roles to whom system maintenance procedures are to be disseminated.
The organization employs automated mechanisms to schedule, conduct, and document repairs.
The organization produces up-to date, accurate, and complete records of all maintenance requested, scheduled, in process, and completed.
The organization includes organization-defined maintenance-related information in organizational maintenance records.
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by verifying that there is no organizational information contained on the equipment.
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by retaining the equipment within the facility.
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by obtaining an exemption from organization-defined personnel or roles explicitly authorizing removal of the equipment from the facility.
The organization reviews the records of the nonlocal maintenance and diagnostic sessions.
The organization defines the authenticators that are replay resistant which will be employed to protect nonlocal maintenance sessions.
The organization defines the personnel or roles authorized to approve each nonlocal maintenance session.
The organization notifies organization-defined personnel or roles of the date and time of planned nonlocal maintenance.
The information system implements remote disconnect verification at the termination of nonlocal maintenance and diagnostic sessions.
The organization develops and implements alternate security safeguards in the event an information system component cannot be sanitized, removed, or disconnected from the system.
The organization ensures that non-escorted personnel performing maintenance activities not directly associated with the information system but in the physical proximity of the system, have required access authorization.
The organization ensures that non-escorted personnel performing maintenance on the information system have required access authorizations.
The organization defines time intervals at which to perform preventive maintenance on organization-defined information system components.
The organization defines the personnel or roles to whom a physical and environmental protection policy is disseminated.
The organization defines the personnel or roles to whom the physical and environmental protection procedures are disseminated.
The organization maintains a list of individuals with authorized access to the facility where the information system resides.
The organization defines a list of acceptable forms of identification for visitor access to the facility where the information system resides.
The organization restricts unescorted access to the facility where the information system resides to personnel with one or more of the following: security clearances for all information contained within the system; formal access authorizations for all information contained within the system; need for access to all information contained within the system; organization-defined credentials.
The organization defines the credentials required for personnel to have unescorted access to the facility where the information system resides.
The organization defines the physical spaces containing one or more components of the information system that require physical access authorizations and controls at the facility where the information system resides.
The organization defines the frequency with which to perform security checks at the physical boundary of the facility or information system for unauthorized exfiltration of information or removal of information system components.
The organization defines information system distribution and transmission lines within organizational facilities to control physical access to using organization-defined security safeguards.
The organization defines security safeguards to control physical access to organization-defined information system distribution and transmission lines within organizational facilities.
The organization monitors physical access to the facility where the information system resides to detect and respond to physical security incidents.
The organization defines events or potential indications of events requiring review of physical access logs.
The organization employs automated mechanisms to recognize organization-defined classes/types of intrusions.
The organization defines classes/types of intrusions to recognize using automated mechanisms.
The organization employs automated mechanisms to initiate organization-defined response actions to organization-defined classes/types of intrusions.
The organization defines the distance by which to physically separate redundant power cabling paths.
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system and/or transition of the information system to long-term alternate power in the event of a primary power source loss.
The organization provides a long-term alternate power supply for the information system that is self-contained.
The organization provides a long-term alternate power supply for the information system that is not reliant on external power generation.
The organization provides a long-term alternate power supply for the information system that is capable of maintaining minimally required operational capability or full operational capability in the event of an extended loss of the primary power source.
The organization provides emergency lighting for all areas within the facility supporting essential business functions.
The organization employs fire detection devices/systems for the information system that activate automatically.
The organization employs fire detection devices/systems for the information system that automatically activate to notify organization-defined personnel or roles and organization-defined emergency responders in the event of a fire.
The organization ensures that the facility undergoes, on an organization-defined frequency, fire protection inspections by authorized and qualified inspectors.
The organization defines a frequency with which the facility undergoes fire protection inspections.
The organization defines the time period within which to resolve deficiencies identified during facility fire protection inspections.
The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts organization-defined personnel or roles.
The organization defines the personnel or roles to be alerted when automated mechanisms detect the presence of water in the vicinity of the information system.
The organization defines types of information system components to authorize, monitor, and control entering and exiting the facility and to maintain records.
The organization defines controlled areas where the location and movement of organization-defined assets are tracked and monitored.
The organization ensures that asset location technologies are employed in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.
The organization develops an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).
The organization disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.
The organization disseminates an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
The organization disseminates an organization-wide information security program plan that reflects coordination among organizational entities responsible for the different aspects of information security (i.e., technical, physical, personnel, cyber-physical).
The organization protects the information security program plan from unauthorized modification.
The organization implements an insider threat program that includes a cross-discipline insider threat incident handling team.
The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are developed.
The organization implements a process for ensuring that organizational plans for conducting security testing activities associated with organizational information systems are maintained.
The organization implements a process for ensuring that organizational plans for conducting security training associated with organizational information systems continue to be executed in a timely manner.
The organization implements a process for ensuring that organizational plans for conducting security monitoring activities associated with organizational information systems continue to be executed in a timely manner.
The organization reviews testing plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization reviews training plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
The organization defines the personnel or roles to whom the personnel security procedures are disseminated.
The organization ensures that individuals accessing an information system processing, storing, or transmitting information requiring special protection have valid access authorizations that are demonstrated by assigned official government duties.
The organization defines the time period within which to disable information system access upon termination of individual employment.
The organization, upon termination of individual employment, terminates/revokes any authenticators/credentials associated with the individual.
The organization develops and documents access agreements for organizational information systems.
The organization ensures that individuals requiring access to organizational information and information systems re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or in accordance with organization-defined frequency.
The organization defines the frequency for individuals requiring access to organization information and information systems to re-sign access agreements.
The organization defines the implementation information that the developer of the information system, system component, or information system service is required to provide for the security controls to be employed.
The organization documents trust relationships with external service providers based on organization-defined security requirements, properties, factors, or conditions defining acceptable trust relationships.
The organization requires the developer of the information system, system component, or information system service to perform attack surface reviews.
The organization defines the security safeguards to be employed to validate that the information system or system component received is genuine and has not been altered.
The organization defines the information system, information system component, or information system service supporting its critical missions/business functions in which the trustworthiness must be described.
The organization defines decision points in the system development life cycle at which the developer of the information system, system component, or information system service is required to perform a criticality analysis.
The organization requires that developers perform threat modeling for the information system at an organization-defined breadth/depth.
The organization requires the developer of the information system or system component to archive the system or component to be released or delivered together with the corresponding evidence supporting the final security review.
The organization requires the developer of the information system, system component, or information system service to provide organization-defined training on the correct use and operation of the implemented security functions, controls, and/or mechanisms.
The organization defines the elements of organization security policy to be described in the formal policy model for enforcement on the information system, system component, or information system service.
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant software in terms of exceptions, error messages, and effects.
The organization requires the developer of the information system, system component, or information system service to produce, as an integral part of the development process, an informal descriptive top-level specification that specifies the interfaces to security-relevant firmware in terms of exceptions, error messages, and effects.
The organization requires the developer of the information system, system component, or information system service to show via informal demonstration or convincing argument with formal methods as feasible that the descriptive top-level specification is consistent with the formal policy model.
The organization requires the developer of the information system, system component, or information system service to design and structure the security-relevant firmware to use a complete, conceptually simple protection mechanism with precisely defined semantics.
The organization requires the developer of the information system, system component, or information system service to internally structure the security-relevant hardware with specific regard for the complete, conceptually simple protection mechanism with precisely defined semantics.
The organization requires the developer of the information system, component, or information system service to structure security-relevant hardware to facilitate testing.
The organization requires the developer of the information system, component, or information system service to structure security-relevant software to facilitate testing.
The organization defines the external reporting organizations to which counterfeit information system components are to be reported.
The organization defines the personnel or roles to whom counterfeit information system components are to be reported.
The organization trains organization-defined personnel or roles to detect counterfeit information system components (including hardware, software, and firmware).
The organization defines the information system components awaiting service/repair over which configuration control must be maintained.
The organization maintains configuration control over serviced/repaired components awaiting return to service.
The organization defines the information system, system component, or information system service which requires the information system developer to have appropriate access authorizations and satisfy additional personnel screening criteria.
The organization requires that the developer of an organization-defined information system, system component, or information system service have appropriate access authorizations as determined by assigned organization-defined official government duties.
The organization describes, in its privacy notices, the purpose(s) for which personally identifiable information (PII) is used.
The organization allocates sufficient organization-defined budget resources to implement and operate the organization-wide privacy program.
The organization documents a privacy risk management process which assesses the privacy risk to individuals.
The organization implements a privacy risk management process which assesses the privacy risk to individuals.
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the sharing of personally identifiable information (PII).
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the storing of personally identifiable information (PII).
The organization^s privacy risk management process assesses the privacy risk to individuals resulting from the transmitting of personally identifiable information (PII).
The organization defines the frequency for monitoring privacy controls and internal privacy policy to ensure effective implementation.
The organization defines the frequency for auditing privacy controls and internal privacy policy to ensure effective implementation.
The organization administers basic privacy training per the organization-defined frequency.
The organization administers, per organization-defined frequency, targeted, role-based privacy training for personnel having responsibility for personally identifiable information (PII) or for activities that involve PII.
The organization defines the frequency, minimally annually, on which personnel certify acceptance of responsibilities for privacy requirements.
The organization ensures personnel certify (manually or electronically) acceptance of responsibilities for privacy requirements per organization-defined frequency.
The organization disseminates reports to the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.
The organization updates reports for the Office of Management and Budget (OMB), Congress, and other oversight bodies, as appropriate, to demonstrate accountability with specific statutory and regulatory privacy program mandates.
The organization develops reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance.
The organization keeps an accurate accounting of disclosures of Privacy Act information held in each system of records under its control.
The organization retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer.
The organization makes the accounting of disclosures available to the person named in the record upon request.
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the accuracy of that information.
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the relevancy of that information.
The organization confirms to the greatest extent practicable upon collection or creation of personally identifiable information (PII), the timeliness of that information.
The organization issues guidelines maximizing the utility of disseminated Privacy Act information.
The organization issues guidelines maximizing the objectivity of disseminated Privacy Act information.
The organization issues guidelines maximizing the integrity of disseminated Privacy Act information.
The organization requests the individual or individual^s authorized representative validate personally identifiable information (PII) during the collection process.
The organization defines the frequency on which it will request the individual, or individual^s authorized representative, revalidate that personally identifiable information (PII) collected is still accurate.
On an organization-defined frequency, the organization requests the individual, or individual^s authorized representative, revalidate that personally identifiable information (PII) collected is still accurate.
The organization documents processes to ensure the integrity of personally identifiable information (PII) through existing security controls.
The organization^s Data Integrity Board oversees the organizational Computer Matching Agreements.
The organization defines the frequency, minimally annually, for conducting reviews of its personally identifiable information (PII) holdings.
The organization establishes a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained.
The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure that only PII identified in the notice is collected and retained.
The organization follows a schedule for regularly reviewing the personally identifiable information (PII) holdings on an organization-defined frequency to ensure the PII continues to be necessary to accomplish the legally authorized purpose.
The organization, where feasible and within the limits of technology, locates and removes/redacts specified personally identifiable information (PII).
The organization, where feasible and within the limits of technology, uses anonymization and de-identification techniques to permit use of the retained Privacy Act information while reducing its sensitivity and reducing the risk resulting from disclosure.
The organization disposes of, destroys, erases, and/or anonymizes the personally identifiable information (PII), regardless of the method of storage, in a manner that prevents loss, theft, misuse, or unauthorized access.
The organization defines the techniques or methods to be employed to ensure the secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records).
The organization uses organization-defined techniques or methods to ensure secure deletion or destruction of personally identifiable information (PII) (including originals, copies, and archived records).
The organization develops policies that minimize the use of personally identifiable information (PII) for research.
The organization implements controls to protect personally identifiable information (PII) used for testing.
The organization implements controls to protect personally identifiable information (PII) used for training.
The organization implements controls to protect personally identifiable information (PII) used for research.
The organization obtains consent, where feasible and appropriate, from individuals prior to any new uses or disclosure of previously collected personally identifiable information (PII).
The organization ensures that individuals, where feasible, consent to all uses of personally identifiable information (PII) not initially described in the public notice that was in effect at the time the organization collected the PII.
The organization implements mechanisms to support itemized or tiered consent for specific uses of personally identifiable information (PII) data.
The organization provides individuals the ability to have access to their personally identifiable information (PII) maintained in its system(s) of records.
The organization publishes rules and regulations governing how individuals may request access to records maintained in a Privacy Act system of records.
The organization publishes regulations governing how individuals may request access to records maintained in a Privacy Act system of records.
The organization establishes a process, where feasible and appropriate, to notify affected individuals that their personally identifiable information (PII) information has been corrected or amended.
The organization implements a process for responding to complaints, concerns, or questions from individuals about the organizational privacy practices.
The organization defines the time period within which it must respond to complaints, concerns, or questions from individuals about the organizational privacy practices.
The organization responds to complaints, concerns, or questions from individuals about the organizational privacy practices within the organization-defined time period.
The organization defines the frequency on which it will update the inventory that contains a listing of all programs and information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
The organization establishes an inventory that contains a listing of all programs identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
The organization establishes an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
The organization updates, per organization-defined frequency, an inventory that contains a listing of all information systems identified as collecting, using, maintaining, or sharing personally identifiable information (PII).
The organization provides an organized and effective response to privacy incidents in accordance with the organizational Privacy Incident Response Plan.
The organization provides effective notice to individuals regarding its activities that impact privacy, including its collection, use, sharing, safeguarding, maintenance, and disposal of personally identifiable information (PII).
The organization provides effective notice to the public regarding its authority for collecting personally identifiable information (PII).
The organization provides effective notice to individuals regarding its authority for collecting personally identifiable information (PII).
The organization provides effective notice to the public regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).
The organization provides effective notice to individuals regarding the choices, if any, individuals may have regarding how the organization uses personally identifiable information (PII).
The organization provides effective notice to the public regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).
The organization provides effective notice to individuals regarding the consequences of exercising or not exercising the choices regarding how the organization uses personally identifiable information (PII).
The organization describes the purpose(s) for which it collects the personally identifiable information (PII).
The organization describes whether the organization shares personally identifiable information (PII) with external entities.
The organization describes the categories of those external entities with whom personally identifiable information (PII) is shared.
The organization describes the purposes for sharing personally identifiable information (PII) with external entities.
The organization describes whether individuals have the ability to consent to specific uses or sharing of personally identifiable information (PII).
The organization describes how individuals may obtain access to personally identifiable information (PII).
The organization provides real-time notice and/or layered notice when it collects personally identifiable information (PII).
The organization ensures the public has access to information about its privacy activities.
The organization ensures the public is able to communicate with its Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO).
The organization ensures its privacy practices are publicly available through organizational websites or otherwise.
The organization uses personally identifiable information (PII) internally only for the authorized purpose(s) identified in the Privacy Act and/or in public notices.
The organization shares personally identifiable information (PII) externally, only for the authorized purposes identified in the Privacy Act and/or described in its notice(s) or for a purpose that is compatible with those purposes.
The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically describe the personally identifiable information (PII) covered.
The organization, where appropriate, enters into Memoranda of Understanding, Memoranda of Agreement, Letters of Intent, Computer Matching Agreements, or similar agreements, with third parties that specifically enumerate the purposes for which the personally identifiable information (PII) may be used.
The organization monitors its staff on the authorized sharing of personally identifiable information (PII) with third parties.
The organization audits its staff on the authorized sharing of personally identifiable information (PII) with third parties.
The organization trains its staff on the authorized sharing of personally identifiable information (PII) with third parties.
The organization defines the individuals or information systems to be the only recipients of organization-defined information, information system components, or devices, by employing organization-defined security safeguards.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer