From 023de0e19b04bbfe91c9565ba2e893f45ed2a613 Mon Sep 17 00:00:00 2001 From: "A.J. Stein" Date: Tue, 14 Nov 2023 16:19:07 -0500 Subject: [PATCH] Add IA-13.3, align final edits from RMF Team, and version metadata. --- .../rev5/xml/NIST_SP-800-53_rev5_catalog.xml | 13015 +--------------- 1 file changed, 178 insertions(+), 12837 deletions(-) diff --git a/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml b/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml index e4278409..9bc7fe27 100644 --- a/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml +++ b/src/nist.gov/SP800-53/rev5/xml/NIST_SP-800-53_rev5_catalog.xml @@ -1,14 +1,17 @@ - + Electronic Version of NIST SP 800-53 Rev 5 Controls and SP 800-53A Rev 5 Assessment Procedures - 2023-10-12T00:00:00.000000-04:00 + 2023-11-14T00:00:00.000000-04:00 5.1.1 1.1.1 + + + Document creator @@ -30939,6 +30942,28 @@ Identity Providers and Authorization Servers + + + + + + + + + + + + +

identification and authentication policy is defined;

+ + + + + + +

mechanisms supporting authentication and authorization decisions are defined;

+ + @@ -30951,37 +30976,29 @@ -

Identity providers and authorization servers manage user, device, and non-person entity (NPE) identities, attributes, and access rights to support authentication and authorization decisions.

+

Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with using .

 -

Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities to other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05.

+

Identity providers, both internal and external to the organization, manage the user, device, and NPE authenticators and issue statements, often called identity assertions, attesting to identities of other systems or systems components. Authorization servers create and issue access tokens to identified and authenticated users and devices that can be used to gain access to system or information resources. For example, single sign-on (SSO) provides identity provider and authorization server functions. Authenticator management (to include credential management) is covered by IA-05.

 -

identity providers manage user and device identities to support authentication and authorization decisions;

+

identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with using ;

 -

identity providers manage user and device attributes to support authentication and authorization decisions;

+

identity providers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with using ;

 -

identity providers manage user and device access rights to support authentication and authorization decisions;

+

authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authentication decisions in accordance with using ;

 -

authorization servers manage user and device identities to support authentication and authorization decisions;

- - - -

authorization servers manage user and device attributes to support authentication and authorization decisions;

- - - -

authorization servers manage user and device access rights to support authentication and authorization decisions.

- +

authorization servers are employed to manage user, device, and non-person entity (NPE) identities, attributes and access rights supporting authorization decisions in accordance with using ;

+ @@ -31001,7 +31018,7 @@

Organizational personnel with system operations responsibilities;

organizational personnel with information security responsibilities;

-

system/ network administrators;

+

system/network administrators;

organizational personnel with account management responsibilities;

system developers

 @@ -31028,7 +31045,7 @@

Cryptographic keys that protect access tokens are generated, managed, and protected from disclosure and misuse.

 -

Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources they can be accessed.

+

Identity assertions and access tokens are typically digitally signed. The private keys used to sign these assertions and tokens are protected commensurate with the impact of the system and information resources that can be accessed.

@@ -31038,12 +31055,16 @@ -

cryptographic keys that protect access tokens are managed; and

+

cryptographic keys that protect access tokens are managed;

 -

cryptographic keys that protect access tokens are protected from disclosure and misuse

+

cryptographic keys that protect access tokens are protected from disclosure; and

 + + +

cryptographic keys that protect access tokens are protected from disclosure and misuse

+ @@ -31051,7 +31072,8 @@

Identification and authentication policy;

procedures addressing cryptographic key establishment and management;

-

system design documentation; cryptographic mechanisms;

+

system design documentation;

+

cryptographic mechanisms;

system configuration settings and associated documentation;

system security plan;

other relevant documents or records

@@ -31098,11 +31120,11 @@ -

the integrity of identity assertions is verified before granting access to system and information resources;

+

the source of access tokens is verified before granting access to system and information resources;

 -

the source of access tokens is verified before granting access to system and information resources; and

+

the integrity of identity assertions is verified before granting access to system and information resources;

 @@ -31113,28 +31135,155 @@ -

System design documentation; system configuration settings and associated documentation;

+

Identification and authentication policy;

+

system security plan; system design documentation;

+

system configuration settings and associated documentation;

other relevant documents or records

 - +

Organizational personnel with system operations responsibilities;

organizational personnel with information security responsibilities;

-

system/ network administrators; organizational personnel with account management responsibilities;

+

system/ network administrators;

+

organizational personnel with account management responsibilities;

system developers

 - +

Identity provider mechanisms supporting and/or implementing identification and authentication capabilities and access rights

 + + Token Management + + + + + + + + + + + +

In accordance with , assertions and access tokens are:

+ + +

generated;

+ + + +

issued;

+ + + +

refreshed;

+ + + +

issued;

+ + + +

time-restricted; and

+ + + +

audience-restricted.

+ + + +

An access token is a piece of data that represents the authorization granted to a user or NPE to access specific systems or information resources. Access tokens enable controlled access to services and resources. Properly managing the lifecycle of access tokens, including their issuance, validation, and revocation, is crucial to maintaining confidentiality of data and systems. Restricting token validity to a specific audience, e.g., an application or security domain, and restricting token validity lifetimes are important practices. Access tokens are revoked or invalidated if they are compromised, lost, or are no longer needed to mitigate the risks associated with stolen or misused tokens.

+ + + + + +

assertions are generated in accordance with ;

+ + + +

access tokens are generated in accordance with ;

+ + + +

assertions are issued in accordance with ;

+ + + +

access tokens are issued in accordance with ;

+ + + +

assertions are refreshed in accordance with ;

+ + + +

access tokens are refreshed in accordance with ;

+ + + +

assertions are revoked in accordance with ;

+ + + +

access tokens are revoked in accordance with ;

+ + + +

assertions are time-restricted in accordance with ;

+ + + +

access tokens are time-restricted in accordance with ;

+ + + +

assertions are audience-restricted in accordance with ;

+ + + +

access tokens are audience-restricted in accordance with ;

+ + + + + + +

Identification and authentication policy;

+

access control policy;

+

procedures for assertion and token management;

+

system design documentation;

+

system configuration settings and associated documentation;

+

other relevant documents or records

+ + + + + + +

Organizational personnel with system operations responsibilities;

+

organizational personnel with information security responsibilities;

+

system/ network administrators;

+

organizational personnel with account management responsibilities;

+

system developers

+ + + + + + +

Mechanisms and software supporting and/or implementing token generation

+ + + @@ -70663,12812 +70812,4 @@ - -

Employ that are configured to minimize the collection of information about individuals that is not needed.

- - -

Although policies to control for authorized use can be applied to information once it is collected, minimizing the collection of information that is not needed mitigates privacy risk at the system entry point and mitigates the risk of policy control failures. Sensor configurations include the obscuring of human features, such as blurring or pixelating flesh tones.

- - - -

the configured to minimize the collection of information about individuals that is not needed are employed.

- - - - - -

System and communications protection policy

-

access control policy and procedures

-

personally identifiable information processing policy

-

sensor capability and data collection policy and procedures

-

system design documentation

-

system configuration settings and associated documentation

-

privacy risk assessment documentation

-

privacy impact assessments

-

system architecture

-

list of information being collected by sensors

-

list of sensor configurations that minimize the collection of personally identifiable information (e.g., obscure human features)

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for sensor capabilities

- - - - - - -

Mechanisms supporting and/or implementing measures to facilitate the review of information that is being collected by sensors

-

sensor information collection capabilities for the system

- - - - - - Usage Restrictions - - - - - - -

the components for which usage restrictions and implementation guidance are to be established are defined;

- - - - - - - - - - - - - - - - - -

Establish usage restrictions and implementation guidelines for the following system components: ; and

- - - -

Authorize, monitor, and control the use of such components within the system.

- - - -

Usage restrictions apply to all system components including but not limited to mobile code, mobile devices, wireless access, and wired and wireless peripheral components (e.g., copiers, printers, scanners, optical devices, and other similar technologies). The usage restrictions and implementation guidelines are based on the potential for system components to cause damage to the system and help to ensure that only authorized system use occurs.

- - - - - -

usage restrictions and implementation guidelines are established for ;

- - - - - -

the use of is authorized within the system;

- - - -

the use of is monitored within the system;

- - - -

the use of is controlled within the system.

- - - - - - - -

System and communications protection policy

-

usage restrictions

-

procedures addressing usage restrictions

-

implementation policy and procedures

-

authorization records

-

system monitoring records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Organizational processes for authorizing, monitoring, and controlling the use of components with usage restrictions

-

mechanisms supporting and/or implementing, authorizing, monitoring, and controlling the use of components with usage restrictions

- - - - - Detonation Chambers - - - - - -

the system, system component, or location where a detonation chamber capability is to be employed is defined;

- - - - - - - - - - - - - - - - - -

Employ a detonation chamber capability within .

- - -

Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator requests in the safety of an isolated environment or a virtualized sandbox. Protected and isolated execution environments provide a means of determining whether the associated attachments or applications contain malicious code. While related to the concept of deception nets, the employment of detonation chambers is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, detonation chambers are intended to quickly identify malicious code and either reduce the likelihood that the code is propagated to user environments of operation or prevent such propagation completely.

- - - -

a detonation chamber capability is employed within the .

- - - - - -

System and communications protection policy

-

procedures addressing detonation chambers

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing the detonation chamber capability

- - - - - System Time Synchronization - - - - - - - - - - -

Synchronize system clocks within and between systems and system components.

- - -

Time synchronization of system clocks is essential for the correct execution of many system services, including identification and authentication processes that involve certificates and time-of-day restrictions as part of access control. Denial of service or failure to deny expired credentials may result without properly synchronized clocks within and between systems and system components. Time is commonly expressed in Coordinated Universal Time (UTC), a modern continuation of Greenwich Mean Time (GMT), or local time with an offset from UTC. The granularity of time measurements refers to the degree of synchronization between system clocks and reference clocks, such as clocks synchronizing within hundreds of milliseconds or tens of milliseconds. Organizations may define different time granularities for system components. Time service can be critical to other security capabilities—such as access control and identification and authentication—depending on the nature of the mechanisms used to support the capabilities.

- - - -

system clocks are synchronized within and between systems and system components.

- - - - - -

System and communications protection policy

-

procedures addressing time synchronization

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing system time synchronization

- - - - Synchronization with Authoritative Time Source - - - - - -

the frequency at which to compare the internal system clocks with the authoritative time source is defined;

- - - - - - - -

the authoritative time source to which internal system clocks are to be compared is defined;

- - - - - - - -

the time period to compare the internal system clocks with the authoritative time source is defined;

- - - - - - - - - - -

Compare the internal system clocks with ; and

- - - -

Synchronize the internal system clocks to the authoritative time source when the time difference is greater than .

- - - -

Synchronization of internal system clocks with an authoritative source provides uniformity of time stamps for systems with multiple system clocks and systems connected over a network.

- - - - - -

the internal system clocks are compared with ;

- - - -

the internal system clocks are synchronized with the authoritative time source when the time difference is greater than .

- - - - - - -

System and communications protection policy

-

procedures addressing time synchronization

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing system time synchronization

- - - - - Secondary Authoritative Time Source - - - - - - - - -

Identify a secondary authoritative time source that is in a different geographic region than the primary authoritative time source; and

- - - -

Synchronize the internal system clocks to the secondary authoritative time source if the primary authoritative time source is unavailable.

- - - -

It may be necessary to employ geolocation information to determine that the secondary authoritative time source is in a different geographic region.

- - - - - -

a secondary authoritative time source is identified that is in a different geographic region than the primary authoritative time source;

- - - -

the internal system clocks are synchronized to the secondary authoritative time source if the primary authoritative time source is unavailable.

- - - - - - -

System and communications protection policy

-

procedures addressing time synchronization

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing system time synchronization with secondary authoritative time sources

- - - - - - Cross Domain Policy Enforcement - - - - - - - - - - - - - -

Implement a policy enforcement mechanism between the physical and/or network interfaces for the connecting security domains.

- - -

For logical policy enforcement mechanisms, organizations avoid creating a logical path between interfaces to prevent the ability to bypass the policy enforcement mechanism. For physical policy enforcement mechanisms, the robustness of physical isolation afforded by the physical implementation of policy enforcement to preclude the presence of logical covert channels penetrating the security domain may be needed. Contact ncdsmo@nsa.gov for more information.

- - - -

a policy enforcement mechanism is implemented between the physical and/or network interfaces for the connecting security domains.

- - - - - -

System and communications protection policy

-

procedures addressing cross-domain policy enforcement

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing cross-domain policy enforcement

- - - - - Alternate Communications Paths - - - - - - -

alternate communication paths for system operations and operational command and control are defined;

- - - - - - - - - - - - - -

Establish for system operations organizational command and control.

- - -

An incident, whether adversarial- or nonadversarial-based, can disrupt established communications paths used for system operations and organizational command and control. Alternate communications paths reduce the risk of all communications paths being affected by the same incident. To compound the problem, the inability of organizational officials to obtain timely information about disruptions or to provide timely direction to operational elements after a communications path incident, can impact the ability of the organization to respond to such incidents in a timely manner. Establishing alternate communications paths for command and control purposes, including designating alternative decision makers if primary decision makers are unavailable and establishing the extent and limitations of their actions, can greatly facilitate the organization’s ability to continue to operate and take appropriate actions during an incident.

- - - -

are established for system operations and operational command and control.

- - - - - -

System and communications protection policy

-

procedures addressing communication paths

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developers

- - - - - - -

Mechanisms supporting and/or implementing alternate communication paths for system operations

- - - - - Sensor Relocation - - - - - -

sensors and monitoring capabilities to be relocated are defined;

- - - - - - - -

locations to where sensors and monitoring capabilities are to be relocated are defined;

- - - - - - - -

conditions or circumstances for relocating sensors and monitoring capabilities are defined;

- - - - - - - - - - - - -

Relocate to under the following conditions or circumstances: .

- - -

Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information that the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging.

- - - -

are relocated to under .

- - - - - -

System and communications protection policy

-

procedures addressing sensor and monitoring capability relocation

-

list of sensors/monitoring capabilities to be relocated

-

change control records

-

configuration management records

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing sensor relocation

- - - - Dynamic Relocation of Sensors or Monitoring Capabilities - - - - - -

sensors and monitoring capabilities to be dynamically relocated are defined;

- - - - - - - -

locations to where sensors and monitoring capabilities are to be dynamically relocated are defined;

- - - - - - - -

conditions or circumstances for dynamically relocating sensors and monitoring capabilities are defined;

- - - - - - - - - -

Dynamically relocate to under the following conditions or circumstances: .

- - -

None.

- - - -

are dynamically relocated to under .

- - - - - -

System and communications protection policy

-

procedures addressing sensor and monitoring capability relocation

-

list of sensors/monitoring capabilities to be relocated

-

change control records

-

configuration management records

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

SELECT FROM: Mechanisms supporting and/or implementing sensor relocation

- - - - - - Hardware-enforced Separation and Policy Enforcement - - - - - -

security domains requiring hardware-enforced separation and policy enforcement mechanisms are defined;

- - - - - - - - - - - - - -

Implement hardware-enforced separation and policy enforcement mechanisms between .

- - -

System owners may require additional strength of mechanism and robustness to ensure domain separation and policy enforcement for specific types of threats and environments of operation. Hardware-enforced separation and policy enforcement provide greater strength of mechanism than software-enforced separation and policy enforcement.

- - - -

hardware-enforced separation and policy enforcement mechanisms are implemented between .

- - - - - -

System and communications protection policy

-

procedures addressing cross-domain policy enforcement

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing hardware-enforced security domain separation and policy enforcement

- - - - - Software-enforced Separation and Policy Enforcement - - - - - -

security domains requiring software-enforced separation and policy enforcement mechanisms are defined;

- - - - - - - - - - - - - - - - -

Implement software-enforced separation and policy enforcement mechanisms between .

- - -

System owners may require additional strength of mechanism to ensure domain separation and policy enforcement for specific types of threats and environments of operation.

- - - -

software-enforced separation and policy enforcement mechanisms are implemented between .

- - - - - -

System and communications protection policy

-

procedures addressing cross-domain policy enforcement

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

- - - - - - -

Mechanisms supporting and/or implementing software-enforced separation and policy enforcement

- - - - - Hardware-based Protection - - - - - -

system firmware components requiring hardware-based write-protect are defined;

- - - - - - - -

authorized individuals requiring procedures for disabling and re-enabling hardware write-protect are defined;

- - - - - - - - - - - -

Employ hardware-based, write-protect for ; and

- - - -

Implement specific procedures for to manually disable hardware write-protect for firmware modifications and re-enable the write-protect prior to returning to operational mode.

- - - -

None.

- - - - - -

hardware-based write-protect for is employed;

- - - - - -

specific procedures are implemented for to manually disable hardware write-protect for firmware modifications;

- - - -

specific procedures are implemented for to re-enable the write-protect prior to returning to operational mode.

- - - - - - - -

System and communications protection policy

-

procedures addressing firmware modifications

-

system design documentation

-

system configuration settings and associated documentation

-

system architecture

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

system developers/integrators

- - - - - - -

Organizational processes for modifying system firmware

-

mechanisms supporting and/or implementing hardware-based write-protection for system firmware

- - - - - - System and Information Integrity - - Policy and Procedures - - - - - - - - - -

personnel or roles to whom the system and information integrity policy is to be disseminated is/are defined;

- - - - - - -

personnel or roles to whom the system and information integrity procedures are to be disseminated is/are defined;

- - - - - - - - - - - - -

an official to manage the system and information integrity policy and procedures is defined;

- - - - - - - -

the frequency at which the current system and information integrity policy is reviewed and updated is defined;

- - - - - - - -

events that would require the current system and information integrity policy to be reviewed and updated are defined;

- - - - - - - -

the frequency at which the current system and information integrity procedures are reviewed and updated is defined;

- - - - - - - -

events that would require the system and information integrity procedures to be reviewed and updated are defined;

- - - - - - - - - - - - - - - - - -

Develop, document, and disseminate to :

- - -

system and information integrity policy that:

- - -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - -

Procedures to facilitate the implementation of the system and information integrity policy and the associated system and information integrity controls;

- - - - -

Designate an to manage the development, documentation, and dissemination of the system and information integrity policy and procedures; and

- - - -

Review and update the current system and information integrity:

- - -

Policy and following ; and

- - - -

Procedures and following .

- - - - -

System and information integrity policy and procedures address the controls in the SI family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of system and information integrity policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to system and information integrity policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

- - - - - - - -

a system and information integrity policy is developed and documented;

- - - -

the system and information integrity policy is disseminated to ;

- - - -

system and information integrity procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls are developed and documented;

- - - -

the system and information integrity procedures are disseminated to ;

- - - - - - - -

the system and information integrity policy addresses purpose;

- - - -

the system and information integrity policy addresses scope;

- - - -

the system and information integrity policy addresses roles;

- - - -

the system and information integrity policy addresses responsibilities;

- - - -

the system and information integrity policy addresses management commitment;

- - - -

the system and information integrity policy addresses coordination among organizational entities;

- - - -

the system and information integrity policy addresses compliance;

- - - - -

the system and information integrity policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

- - - - - -

the is designated to manage the development, documentation, and dissemination of the system and information integrity policy and procedures;

- - - - - - - -

the current system and information integrity policy is reviewed and updated ;

- - - -

the current system and information integrity policy is reviewed and updated following ;

- - - - - - -

the current system and information integrity procedures are reviewed and updated ;

- - - -

the current system and information integrity procedures are reviewed and updated following .

- - - - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and information integrity responsibilities

-

organizational personnel with information security and privacy responsibilities

- - - - - Flaw Remediation - - - - - -

time period within which to install security-relevant software updates after the release of the updates is defined;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Identify, report, and correct system flaws;

- - - -

Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation;

- - - -

Install security-relevant software and firmware updates within of the release of the updates; and

- - - -

Incorporate flaw remediation into the organizational configuration management process.

- - - -

The need to remediate system flaws applies to all types of software and firmware. Organizations identify systems affected by software flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated organizational personnel with information security and privacy responsibilities. Security-relevant updates include patches, service packs, and malicious code signatures. Organizations also address flaws discovered during assessments, continuous monitoring, incident response activities, and system error handling. By incorporating flaw remediation into configuration management processes, required remediation actions can be tracked and verified.

-

Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of risk factors, including the security category of the system, the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw), the organizational risk tolerance, the mission supported by the system, or the threat environment. Some types of flaw remediation may require more testing than other types. Organizations determine the type of testing needed for the specific type of flaw remediation activity under consideration and the types of changes that are to be configuration-managed. In some situations, organizations may determine that the testing of software or firmware updates is not necessary or practical, such as when implementing simple malicious code signature updates. In testing decisions, organizations consider whether security-relevant software or firmware updates are obtained from authorized sources with appropriate digital signatures.

- - - - - - - -

system flaws are identified;

- - - -

system flaws are reported;

- - - -

system flaws are corrected;

- - - - - - -

software updates related to flaw remediation are tested for effectiveness before installation;

- - - -

software updates related to flaw remediation are tested for potential side effects before installation;

- - - -

firmware updates related to flaw remediation are tested for effectiveness before installation;

- - - -

firmware updates related to flaw remediation are tested for potential side effects before installation;

- - - - - - -

security-relevant software updates are installed within of the release of the updates;

- - - -

security-relevant firmware updates are installed within of the release of the updates;

- - - - -

flaw remediation is incorporated into the organizational configuration management process.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing flaw remediation

-

procedures addressing configuration management

-

list of flaws and vulnerabilities potentially affecting the system

-

list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws)

-

test results from the installation of software and firmware updates to correct system flaws

-

installation/change control records for security-relevant software and firmware updates

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel responsible for installing, configuring, and/or maintaining the system

-

organizational personnel responsible for flaw remediation

-

organizational personnel with configuration management responsibilities

- - - - - - -

Organizational processes for identifying, reporting, and correcting system flaws

-

organizational process for installing software and firmware updates

-

mechanisms supporting and/or implementing the reporting and correcting of system flaws

-

mechanisms supporting and/or implementing testing software and firmware updates

- - - - Central Management - - - - - - - - Automated Flaw Remediation Status - - - - - -

automated mechanisms to determine if applicable security-relevant software and firmware updates are installed on system components are defined;

- - - - - - - -

the frequency at which to determine if applicable security-relevant software and firmware updates are installed on system components is defined;

- - - - - - - - - - -

Determine if system components have applicable security-relevant software and firmware updates installed using .

- - -

Automated mechanisms can track and determine the status of known flaws for system components.

- - - -

system components have applicable security-relevant software and firmware updates installed using .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing flaw remediation

-

automated mechanisms supporting centralized management of flaw remediation

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for flaw remediation

- - - - - - -

Automated mechanisms used to determine the state of system components with regard to flaw remediation

- - - - - Time to Remediate Flaws and Benchmarks for Corrective Actions - - - - - -

the benchmarks for taking corrective actions are defined;

- - - - - - - - - - -

Measure the time between flaw identification and flaw remediation; and

- - - -

Establish the following benchmarks for taking corrective actions: .

- - - -

Organizations determine the time it takes on average to correct system flaws after such flaws have been identified and subsequently establish organizational benchmarks (i.e., time frames) for taking corrective actions. Benchmarks can be established by the type of flaw or the severity of the potential vulnerability if the flaw can be exploited.

- - - - - -

the time between flaw identification and flaw remediation is measured;

- - - -

for taking corrective actions have been established.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing flaw remediation

-

system design documentation

-

system configuration settings and associated documentation

-

list of benchmarks for taking corrective action on identified flaws

-

records that provide timestamps of flaw identification and subsequent flaw remediation activities

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for flaw remediation

- - - - - - -

Organizational processes for identifying, reporting, and correcting system flaws

-

mechanisms used to measure the time between flaw identification and flaw remediation

- - - - - Automated Patch Management Tools - - - - - - -

the system components requiring automated patch management tools to facilitate flaw remediation are defined;

- - - - - - - - - -

Employ automated patch management tools to facilitate flaw remediation to the following system components: .

- - -

Using automated tools to support patch management helps to ensure the timeliness and completeness of system patching operations.

- - - -

automated patch management tools are employed to facilitate flaw remediation to .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing flaw remediation

-

mechanisms supporting flaw remediation and automatic software/firmware updates

-

system design documentation

-

system configuration settings and associated documentation

-

list of system flaws

-

records of recent security-relevant software and firmware updates that are automatically installed to system components

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for flaw remediation

- - - - - - -

Automated patch management tools

-

mechanisms implementing automatic software/firmware updates

-

mechanisms facilitating flaw remediation to system components

- - - - - Automatic Software and Firmware Updates - - - - - -

security-relevant software and firmware updates to be automatically installed to system components are defined;

- - - - - - - -

system components requiring security-relevant software updates to be automatically installed are defined;

- - - - - - - - - -

Install automatically to .

- - -

Due to system integrity and availability concerns, organizations consider the methodology used to carry out automatic updates. Organizations balance the need to ensure that the updates are installed as soon as possible with the need to maintain configuration management and control with any mission or operational impacts that automatic updates might impose.

- - - -

are installed automatically to .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing flaw remediation

-

mechanisms supporting flaw remediation and automatic software/firmware updates

-

system design documentation

-

system configuration settings and associated documentation

-

records of recent security-relevant software and firmware updates automatically installed to system components

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for flaw remediation

- - - - - - -

Mechanisms implementing automatic software/firmware updates

- - - - - Removal of Previous Versions of Software and Firmware - - - - - -

software and firmware components to be removed after updated versions have been installed are defined;

- - - - - - - - - -

Remove previous versions of after updated versions have been installed.

- - -

Previous versions of software or firmware components that are not removed from the system after updates have been installed may be exploited by adversaries. Some products may automatically remove previous versions of software and firmware from the system.

- - - -

previous versions of are removed after updated versions have been installed.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing flaw remediation

-

mechanisms supporting flaw remediation

-

system design documentation

-

system configuration settings and associated documentation

-

records of software and firmware component removals after updated versions are installed

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for flaw remediation

- - - - - - -

Mechanisms supporting and/or implementing the removal of previous versions of software/firmware

- - - - - - Malicious Code Protection - - - - - - - - - - -

the frequency at which malicious code protection mechanisms perform scans is defined;

- - - - - - - - - - - - - - - - - -

action to be taken in response to malicious code detection are defined (if selected);

- - - - - - - -

personnel or roles to be alerted when malicious code is detected is/are defined;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;

- - - -

Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;

- - - -

Configure malicious code protection mechanisms to:

- - -

Perform periodic scans of the system and real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy; and

- - - -

; and send alert to in response to malicious code detection; and

- - - - -

Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

- - - -

System entry and exit points include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can also be encoded in various formats contained within compressed or hidden files or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways, including by electronic mail, the world-wide web, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. A variety of technologies and methods exist to limit or eliminate the effects of malicious code.

-

Malicious code protection mechanisms include both signature- and nonsignature-based technologies. Nonsignature-based detection mechanisms include artificial intelligence techniques that use heuristics to detect, analyze, and describe the characteristics or behavior of malicious code and to provide controls against such code for which signatures do not yet exist or for which existing signatures may not be effective. Malicious code for which active signatures do not yet exist or may be ineffective includes polymorphic malicious code (i.e., code that changes signatures when it replicates). Nonsignature-based mechanisms also include reputation-based technologies. In addition to the above technologies, pervasive configuration management, comprehensive software integrity controls, and anti-exploitation software may be effective in preventing the execution of unauthorized code. Malicious code may be present in commercial off-the-shelf software as well as custom-built software and could include logic bombs, backdoors, and other types of attacks that could affect organizational mission and business functions.

-

In situations where malicious code cannot be detected by detection methods or technologies, organizations rely on other types of controls, including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to ensure that software does not perform functions other than the functions intended. Organizations may determine that, in response to the detection of malicious code, different actions may be warranted. For example, organizations can define actions in response to malicious code detection during periodic scans, the detection of malicious downloads, or the detection of maliciousness when attempting to open or execute files.

- - - - - - - -

malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code;

- - - -

malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code;

- - - - -

malicious code protection mechanisms are updated automatically as new releases are available in accordance with organizational configuration management policy and procedures;

- - - - - - - -

malicious code protection mechanisms are configured to perform periodic scans of the system ;

- - - -

malicious code protection mechanisms are configured to perform real-time scans of files from external sources at as the files are downloaded, opened, or executed in accordance with organizational policy;

- - - - - - -

malicious code protection mechanisms are configured to in response to malicious code detection;

- - - -

malicious code protection mechanisms are configured to send alerts to in response to malicious code detection;

- - - - - -

the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system are addressed.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

configuration management policy and procedures

-

procedures addressing malicious code protection

-

malicious code protection mechanisms

-

records of malicious code protection updates

-

system design documentation

-

system configuration settings and associated documentation

-

scan results from malicious code protection mechanisms

-

record of actions initiated by malicious code protection mechanisms in response to malicious code detection

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for malicious code protection

-

organizational personnel with configuration management responsibilities

- - - - - - -

Organizational processes for employing, updating, and configuring malicious code protection mechanisms

-

organizational processes for addressing false positives and resulting potential impacts

-

mechanisms supporting and/or implementing, employing, updating, and configuring malicious code protection mechanisms

-

mechanisms supporting and/or implementing malicious code scanning and subsequent actions

- - - - Central Management - - - - - - - - Automatic Updates - - - - - - - - Non-privileged Users - - - - - - - - Updates Only by Privileged Users - - - - - - - - -

Update malicious code protection mechanisms only when directed by a privileged user.

- - -

Protection mechanisms for malicious code are typically categorized as security-related software and, as such, are only updated by organizational personnel with appropriate access privileges.

- - - -

malicious code protection mechanisms are updated only when directed by a privileged user.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing malicious code protection

-

list of privileged users on system

-

system design documentation

-

malicious code protection mechanisms

-

records of malicious code protection updates

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developers

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for malicious code protection

- - - - - - -

Mechanisms supporting and/or implementing malicious code protection capabilities

- - - - - Portable Storage Devices - - - - - - - - Testing and Verification - - - - - -

the frequency at which to test malicious code protection mechanisms is defined;

- - - - - - - - - - - - - -

Test malicious code protection mechanisms by introducing known benign code into the system; and

- - - -

Verify that the detection of the code and the associated incident reporting occur.

- - - -

None.

- - - - - -

malicious code protection mechanisms are tested by introducing known benign code into the system;

- - - - - -

the detection of (benign test) code occurs;

- - - -

the associated incident reporting occurs.

- - - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing malicious code protection

-

system design documentation

-

system configuration settings and associated documentation

-

test cases

-

records providing evidence of test cases executed on malicious code protection mechanisms

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for malicious code protection

- - - - - - -

Mechanisms supporting and/or implementing the testing and verification of malicious code protection capabilities

- - - - - Nonsignature-based Detection - - - - - - - - Detect Unauthorized Commands - - - - - -

system hardware components for which unauthorized operating system commands are to be detected through the kernel application programming interface are defined;

- - - - - - - -

unauthorized operating system commands to be detected are defined;

- - - - - - - - - - - - - - - - - - -

Detect the following unauthorized operating system commands through the kernel application programming interface on : ; and

- - - -

.

- - - -

Detecting unauthorized commands can be applied to critical interfaces other than kernel-based interfaces, including interfaces with virtual machines and privileged applications. Unauthorized operating system commands include commands for kernel functions from system processes that are not trusted to initiate such commands as well as commands for kernel functions that are suspicious even though commands of that type are reasonable for processes to initiate. Organizations can define the malicious commands to be detected by a combination of command types, command classes, or specific instances of commands. Organizations can also define hardware components by component type, component, component location in the network, or a combination thereof. Organizations may select different actions for different types, classes, or instances of malicious commands.

- - - - - -

are detected through the kernel application programming interface on ;

- - - -

is/are performed.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing malicious code protection

-

system design documentation

-

malicious code protection mechanisms

-

warning messages sent upon the detection of unauthorized operating system command execution

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developers

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for malicious code protection

- - - - - - -

Mechanisms supporting and/or implementing malicious code protection capabilities

-

mechanisms supporting and/or implementing the detection of unauthorized operating system commands through the kernel application programming interface

- - - - - Authenticate Remote Commands - - - - - - - - Malicious Code Analysis - - - - - -

tools and techniques to be employed to analyze the characteristics and behavior of malicious code are defined;

- - - - - - - - - - -

Employ the following tools and techniques to analyze the characteristics and behavior of malicious code: ; and

- - - -

Incorporate the results from malicious code analysis into organizational incident response and flaw remediation processes.

- - - -

The use of malicious code analysis tools provides organizations with a more in-depth understanding of adversary tradecraft (i.e., tactics, techniques, and procedures) and the functionality and purpose of specific instances of malicious code. Understanding the characteristics of malicious code facilitates effective organizational responses to current and future threats. Organizations can conduct malicious code analyses by employing reverse engineering techniques or by monitoring the behavior of executing code.

- - - - - -

are employed to analyze the characteristics and behavior of malicious code;

- - - - - -

the results from malicious code analysis are incorporated into organizational incident response processes;

- - - -

the results from malicious code analysis are incorporated into organizational flaw remediation processes.

- - - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing malicious code protection

-

procedures addressing incident response

-

procedures addressing flaw remediation

-

system design documentation

-

malicious code protection mechanisms, tools, and techniques

-

system configuration settings and associated documentation

-

results from malicious code analyses

-

records of flaw remediation events resulting from malicious code analyses

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for malicious code protection

-

organizational personnel responsible for flaw remediation

-

organizational personnel responsible for incident response/management

- - - - - - -

Organizational process for incident response

-

organizational process for flaw remediation

-

mechanisms supporting and/or implementing malicious code protection capabilities

-

tools and techniques for the analysis of malicious code characteristics and behavior

- - - - - - System Monitoring - - - - - -

monitoring objectives to detect attacks and indicators of potential attacks on the system are defined;

- - - - - - - -

techniques and methods used to identify unauthorized use of the system are defined;

- - - - - - - -

system monitoring information to be provided to personnel or roles is defined;

- - - - - - - -

personnel or roles to whom system monitoring information is to be provided is/are defined;

- - - - - - - - - - - - -

a frequency for providing system monitoring to personnel or roles is defined (if selected);

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Monitor the system to detect:

- - -

Attacks and indicators of potential attacks in accordance with the following monitoring objectives: ; and

- - - -

Unauthorized local, network, and remote connections;

- - - - -

Identify unauthorized use of the system through the following techniques and methods: ;

- - - -

Invoke internal monitoring capabilities or deploy monitoring devices:

- - -

Strategically within the system to collect organization-determined essential information; and

- - - -

At ad hoc locations within the system to track specific types of transactions of interest to the organization;

- - - - -

Analyze detected events and anomalies;

- - - -

Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

- - - -

Obtain legal opinion regarding system monitoring activities; and

- - - -

Provide to .

- - - -

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

-

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17 . The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b ). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - - - - - -

the system is monitored to detect attacks and indicators of potential attacks in accordance with ;

- - - - - -

the system is monitored to detect unauthorized local connections;

- - - -

the system is monitored to detect unauthorized network connections;

- - - -

the system is monitored to detect unauthorized remote connections;

- - - - - -

unauthorized use of the system is identified through ;

- - - - - -

internal monitoring capabilities are invoked or monitoring devices are deployed strategically within the system to collect organization-determined essential information;

- - - -

internal monitoring capabilities are invoked or monitoring devices are deployed at ad hoc locations within the system to track specific types of transactions of interest to the organization;

- - - - - - -

detected events are analyzed;

- - - -

detected anomalies are analyzed;

- - - - -

the level of system monitoring activity is adjusted when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;

- - - -

a legal opinion regarding system monitoring activities is obtained;

- - - -

is provided to .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

continuous monitoring strategy

-

facility diagram/layout

-

system design documentation

-

system monitoring tools and techniques documentation

-

locations within the system where monitoring devices are deployed

-

system configuration settings and associated documentation

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

- - - - - - -

Organizational processes for system monitoring

-

mechanisms supporting and/or implementing system monitoring capabilities

- - - - System-wide Intrusion Detection System - - - - - - - - -

Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.

- - -

Linking individual intrusion detection tools into a system-wide intrusion detection system provides additional coverage and effective detection capabilities. The information contained in one intrusion detection tool can be shared widely across the organization, making the system-wide detection capability more robust and powerful.

- - - - - -

individual intrusion detection tools are connected to a system-wide intrusion detection system;

- - - -

individual intrusion detection tools are configured into a system-wide intrusion detection system.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection capabilities

- - - - - Automated Tools and Mechanisms for Real-time Analysis - - - - - - - - - -

Employ automated tools and mechanisms to support near real-time analysis of events.

- - -

Automated tools and mechanisms include host-based, network-based, transport-based, or storage-based event monitoring tools and mechanisms or security information and event management (SIEM) technologies that provide real-time analysis of alerts and notifications generated by organizational systems. Automated monitoring techniques can create unintended privacy risks because automated controls may connect to external or otherwise unrelated systems. The matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessment and make determinations that are in alignment with their privacy program plan.

- - - -

automated tools and mechanisms are employed to support a near real-time analysis of events.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

privacy plan

-

privacy program plan

-

privacy impact assessment

-

privacy risk management documentation

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for incident response/management

- - - - - - -

Organizational processes for the near real-time analysis of events

-

organizational processes for system monitoring

-

mechanisms supporting and/or implementing system monitoring

-

mechanisms/tools supporting and/or implementing an analysis of events

- - - - - Automated Tool and Mechanism Integration - - - - - - - - - -

Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.

- - -

Using automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access and flow control mechanisms facilitates a rapid response to attacks by enabling the reconfiguration of mechanisms in support of attack isolation and elimination.

- - - - - -

automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into access control mechanisms;

- - - -

automated tools and mechanisms are employed to integrate intrusion detection tools and mechanisms into flow control mechanisms.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

access control policy and procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing the intrusion detection and system monitoring capability

-

mechanisms and tools supporting and/or implementing the access and flow control capabilities

-

mechanisms and tools supporting and/or implementing the integration of intrusion detection tools into the access and flow control mechanisms

- - - - - Inbound and Outbound Communications Traffic - - - - - - - - - - - - - - -

the frequency at which to monitor inbound communications traffic for unusual or unauthorized activities or conditions is defined;

- - - - - - -

unusual or unauthorized activities or conditions that are to be monitored in inbound communications traffic are defined;

- - - - - - -

the frequency at which to monitor outbound communications traffic for unusual or unauthorized activities or conditions is defined;

- - - - - - -

unusual or unauthorized activities or conditions that are to be monitored in outbound communications traffic are defined;

- - - - - - - - - - - -

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic;

- - - -

Monitor inbound and outbound communications traffic for .

- - - -

Unusual or unauthorized activities or conditions related to system inbound and outbound communications traffic includes internal traffic that indicates the presence of malicious code or unauthorized use of legitimate code or credentials within organizational systems or propagating among system components, signaling to external systems, and the unauthorized exporting of information. Evidence of malicious code or unauthorized use of legitimate code or credentials is used to identify potentially compromised systems or system components.

- - - - - - - -

criteria for unusual or unauthorized activities or conditions for inbound communications traffic are defined;

- - - -

criteria for unusual or unauthorized activities or conditions for outbound communications traffic are defined;

- - - - - - -

inbound communications traffic is monitored for ;

- - - -

outbound communications traffic is monitored for .

- - - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system protocols

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the monitoring of inbound and outbound communications traffic

- - - - - System-generated Alerts - - - - - -

personnel or roles to be alerted when indications of compromise or potential compromise occur is/are defined;

- - - - - - - -

compromise indicators are defined;

- - - - - - - - - - - - -

Alert when the following system-generated indications of compromise or potential compromise occur: .

- - -

Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be automated and may be transmitted telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the alert notification list can include system administrators, mission or business owners, system owners, information owners/stewards, senior agency information security officers, senior agency officials for privacy, system security officers, or privacy officers. In contrast to alerts generated by the system, alerts generated by organizations in SI-4(12) focus on information sources external to the system, such as suspicious activity reports and reports on potential insider threats.

- - - -

are alerted when system-generated occur.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

list of personnel selected to receive alerts

-

documentation of alerts generated based on compromise indicators

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security and privacy responsibilities

-

system developers

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel on the system alert notification list

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing alerts for compromise indicators

- - - - - Restrict Non-privileged Users - - - - - - - - Automated Response to Suspicious Events - - - - - - -

incident response personnel (identified by name and/or by role) to be notified of detected suspicious events is/are defined;

- - - - - - - - -

least-disruptive actions to terminate suspicious events are defined;

- - - - - - - - - - - -

Notify of detected suspicious events; and

- - - -

Take the following actions upon detection: .

- - - -

Least-disruptive actions include initiating requests for human responses.

- - - - - -

are notified of detected suspicious events;

- - - -

are taken upon the detection of suspicious events.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

alerts and notifications generated based on detected suspicious events

-

records of actions taken to terminate suspicious events

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developers

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing notifications to incident response personnel

-

mechanisms supporting and/or implementing actions to terminate suspicious events

- - - - - Protection of Monitoring Information - - - - - - - - Testing of Monitoring Tools and Mechanisms - - - - - -

a frequency at which to test intrusion-monitoring tools and mechanisms is defined;

- - - - - - - - - -

Test intrusion-monitoring tools and mechanisms .

- - -

Testing intrusion-monitoring tools and mechanisms is necessary to ensure that the tools and mechanisms are operating correctly and continue to satisfy the monitoring objectives of organizations. The frequency and depth of testing depends on the types of tools and mechanisms used by organizations and the methods of deployment.

- - - -

intrusion-monitoring tools and mechanisms are tested .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing the testing of system monitoring tools and techniques

-

documentation providing evidence of testing intrusion-monitoring tools

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the testing of intrusion-monitoring tools

- - - - - Visibility of Encrypted Communications - - - - - -

encrypted communications traffic to be made visible to system monitoring tools and mechanisms is defined;

- - - - - - - -

system monitoring tools and mechanisms to be provided access to encrypted communications traffic are defined;

- - - - - - - - - -

Make provisions so that is visible to .

- - -

Organizations balance the need to encrypt communications traffic to protect data confidentiality with the need to maintain visibility into such traffic from a monitoring perspective. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.

- - - -

provisions are made so that is visible to .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system protocols

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the visibility of encrypted communications traffic to monitoring tools

- - - - - Analyze Communications Traffic Anomalies - - - - - - -

interior points within the system where communications traffic is to be analyzed are defined;

- - - - - - - - - - -

Analyze outbound communications traffic at the external interfaces to the system and selected to discover anomalies.

- - -

Organization-defined interior points include subnetworks and subsystems. Anomalies within organizational systems include large file transfers, long-time persistent connections, attempts to access information from unexpected locations, the use of unusual protocols and ports, the use of unmonitored network protocols (e.g., IPv6 usage during IPv4 transition), and attempted communications with suspected malicious external addresses.

- - - - - -

outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies;

- - - -

outbound communications traffic at is analyzed to discover anomalies.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

network diagram

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the analysis of communications traffic

- - - - - Automated Organization-generated Alerts - - - - - -

personnel or roles to be alerted when indications of inappropriate or unusual activity with security or privacy implications occur is/are defined;

- - - - - - - -

automated mechanisms used to alert personnel or roles are defined;

- - - - - - - -

activities that trigger alerts to personnel or are defined;

- - - - - - - - - - -

Alert using when the following indications of inappropriate or unusual activities with security or privacy implications occur: .

- - -

Organizational personnel on the system alert notification list include system administrators, mission or business owners, system owners, senior agency information security officer, senior agency official for privacy, system security officers, or privacy officers. Automated organization-generated alerts are the security alerts generated by organizations and transmitted using automated means. The sources for organization-generated alerts are focused on other entities such as suspicious activity reports and reports on potential insider threats. In contrast to alerts generated by the organization, alerts generated by the system in SI-4(5) focus on information sources that are internal to the systems, such as audit records.

- - - -

is/are alerted using when indicate inappropriate or unusual activities with security or privacy implications.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

list of inappropriate or unusual activities with security and privacy implications that trigger alerts

-

suspicious activity reports

-

alerts provided to security and privacy personnel

-

system monitoring logs or records

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security and privacy responsibilities

-

system developers

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

automated mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

automated mechanisms supporting and/or implementing automated alerts to security personnel

- - - - - Analyze Traffic and Event Patterns - - - - - - - - - - -

Analyze communications traffic and event patterns for the system;

- - - -

Develop profiles representing common traffic and event patterns; and

- - - -

Use the traffic and event profiles in tuning system-monitoring devices.

- - - -

Identifying and understanding common communications traffic and event patterns help organizations provide useful information to system monitoring devices to more effectively identify suspicious or anomalous traffic and events when they occur. Such information can help reduce the number of false positives and false negatives during system monitoring.

- - - - - - - -

communications traffic for the system is analyzed;

- - - -

event patterns for the system are analyzed;

- - - - - - -

profiles representing common traffic are developed;

- - - -

profiles representing event patterns are developed;

- - - - - - -

traffic profiles are used in tuning system-monitoring devices;

- - - -

event profiles are used in tuning system-monitoring devices.

- - - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

list of profiles representing common traffic patterns and/or events

-

system protocols documentation

-

list of acceptable thresholds for false positives and false negatives

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the analysis of communications traffic and event patterns

- - - - - Wireless Intrusion Detection - - - - - - - - - -

Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.

- - -

Wireless signals may radiate beyond organizational facilities. Organizations proactively search for unauthorized wireless connections, including the conduct of thorough scans for unauthorized wireless access points. Wireless scans are not limited to those areas within facilities containing systems but also include areas outside of facilities to verify that unauthorized wireless access points are not connected to organizational systems.

- - - - - -

a wireless intrusion detection system is employed to identify rogue wireless devices;

- - - -

a wireless intrusion detection system is employed to detect attack attempts on the system;

- - - -

a wireless intrusion detection system is employed to detect potential compromises or breaches to the system.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system protocols

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection

-

mechanisms supporting and/or implementing a wireless intrusion detection capability

- - - - - Wireless to Wireline Communications - - - - - - - - -

Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

- - -

Wireless networks are inherently less secure than wired networks. For example, wireless networks are more susceptible to eavesdroppers or traffic analysis than wireline networks. When wireless to wireline communications exist, the wireless network could become a port of entry into the wired network. Given the greater facility of unauthorized network access via wireless access points compared to unauthorized wired network access from within the physical boundaries of the system, additional monitoring of transitioning traffic between wireless and wired networks may be necessary to detect malicious activities. Employing intrusion detection systems to monitor wireless communications traffic helps to ensure that the traffic does not contain malicious code prior to transitioning to the wireline network.

- - - -

an intrusion detection system is employed to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system protocols documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing a wireless intrusion detection capability

- - - - - Correlate Monitoring Information - - - - - - - - - -

Correlate information from monitoring tools and mechanisms employed throughout the system.

- - -

Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

- - - -

information from monitoring tools and mechanisms employed throughout the system is correlated.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

event correlation logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the correlation of information from monitoring tools

- - - - - Integrated Situational Awareness - - - - - - - - - - - - -

Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

- - -

Correlating monitoring information from a more diverse set of information sources helps to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4(16) , which correlates the various cyber monitoring information, integrated situational awareness is intended to correlate monitoring beyond the cyber domain. Correlation of monitoring information from multiple activities may help reveal attacks on organizations that are operating across multiple attack vectors.

- - - -

information from monitoring physical, cyber, and supply chain activities are correlated to achieve integrated, organization-wide situational awareness.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

event correlation logs or records resulting from physical, cyber, and supply chain activities

-

system audit records

-

system security plan

-

supply chain risk management plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing the correlation of information from monitoring tools

- - - - - Analyze Traffic and Covert Exfiltration - - - - - - -

interior points within the system where communications traffic is to be analyzed are defined;

- - - - - - - - - - -

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: .

- - -

Organization-defined interior points include subnetworks and subsystems. Covert means that can be used to exfiltrate information include steganography.

- - - - - -

outbound communications traffic is analyzed at interfaces external to the system to detect covert exfiltration of information;

- - - -

outbound communications traffic is analyzed at to detect covert exfiltration of information.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

network diagram

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

organizational personnel responsible for the intrusion detection system

- - - - - - -

Organizational processes for intrusion detection and system monitoring

-

mechanisms supporting and/or implementing intrusion detection and system monitoring capabilities

-

mechanisms supporting and/or implementing an analysis of outbound communications traffic

- - - - - Risk for Individuals - - - - - -

additional monitoring of individuals who have been identified as posing an increased level of risk is defined;

- - - - - - - -

sources that identify individuals who pose an increased level of risk are defined;

- - - - - - - - - -

Implement of individuals who have been identified by as posing an increased level of risk.

- - -

Indications of increased risk from individuals can be obtained from different sources, including personnel records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of individuals is coordinated with the management, legal, security, privacy, and human resource officials who conduct such monitoring. Monitoring is conducted in accordance with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

- - - -

is implemented on individuals who have been identified by as posing an increased level of risk.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

-

legal counsel

-

human resource officials

-

organizational personnel with personnel security responsibilities

- - - - - - -

Organizational processes for system monitoring

-

mechanisms supporting and/or implementing a system monitoring capability

- - - - - Privileged Users - - - - - -

additional monitoring of privileged users is defined;

- - - - - - - - - - -

Implement the following additional monitoring of privileged users: .

- - -

Privileged users have access to more sensitive information, including security-related information, than the general user population. Access to such information means that privileged users can potentially do greater damage to systems and organizations than non-privileged users. Therefore, implementing additional monitoring on privileged users helps to ensure that organizations can identify malicious activity at the earliest possible time and take appropriate actions.

- - - -

of privileged users is implemented.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

- - - - - - -

Organizational processes for system monitoring

-

mechanisms supporting and/or implementing a system monitoring capability

- - - - - Probationary Periods - - - - - -

additional monitoring to be implemented on individuals during probationary periods is defined;

- - - - - - - -

the probationary period of individuals is defined;

- - - - - - - - - - -

Implement the following additional monitoring of individuals during : .

- - -

During probationary periods, employees do not have permanent employment status within organizations. Without such status or access to information that is resident on the system, additional monitoring can help identify any potentially malicious activity or inappropriate behavior.

- - - -

of individuals is implemented during .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

- - - - - - -

Organizational processes for system monitoring

-

mechanisms supporting and/or implementing a system monitoring capability

- - - - - Unauthorized Network Services - - - - - -

authorization or approval processes for network services are defined;

- - - - - - - - - - - - -

personnel or roles to be alerted upon the detection of network services that have not been authorized or approved by authorization or approval processes is/are defined (if selected);

- - - - - - - - - - - - -

Detect network services that have not been authorized or approved by ; and

- - - -

when detected.

- - - -

Unauthorized or unapproved network services include services in service-oriented architectures that lack organizational verification or validation and may therefore be unreliable or serve as malicious rogues for valid services.

- - - - - -

network services that have not been authorized or approved by are detected;

- - - -

is/are initiated when network services that have not been authorized or approved by authorization or approval processes are detected.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

documented authorization/approval of network services

-

notifications or alerts of unauthorized network services

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developer

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring the system

- - - - - - -

Organizational processes for system monitoring

-

mechanisms supporting and/or implementing a system monitoring capability

-

mechanisms for auditing network services

-

mechanisms for providing alerts

- - - - - Host-based Devices - - - - - -

host-based monitoring mechanisms to be implemented on system components are defined;

- - - - - - - -

system components where host-based monitoring is to be implemented are defined;

- - - - - - - - - - - -

Implement the following host-based monitoring mechanisms at : .

- - -

Host-based monitoring collects information about the host (or system in which it resides). System components in which host-based monitoring can be implemented include servers, notebook computers, and mobile devices. Organizations may consider employing host-based monitoring mechanisms from multiple product developers or vendors.

- - - -

are implemented on .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring tools and techniques

-

system design documentation

-

host-based monitoring mechanisms

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

list of system components requiring host-based monitoring

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring system hosts

- - - - - - -

Organizational processes for system monitoring

-

mechanisms supporting and/or implementing a host-based monitoring capability

- - - - - Indicators of Compromise - - - - - -

sources that provide indicators of compromise are defined;

- - - - - - - -

personnel or roles to whom indicators of compromise are to be distributed is/are defined;

- - - - - - - - - - -

Discover, collect, and distribute to , indicators of compromise provided by .

- - -

Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational systems at the host or network level. IOCs provide valuable information on systems that have been compromised. IOCs can include the creation of registry key values. IOCs for network traffic include Universal Resource Locator or protocol elements that indicate malicious code command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that systems and organizations are vulnerable to the same exploit or attack. Threat indicators, signatures, tactics, techniques, procedures, and other indicators of compromise may be available via government and non-government cooperatives, including the Forum of Incident Response and Security Teams, the United States Computer Emergency Readiness Team, the Defense Industrial Base Cybersecurity Information Sharing Program, and the CERT Coordination Center.

- - - - - -

indicators of compromise provided by are discovered;

- - - -

indicators of compromise provided by are collected;

- - - -

indicators of compromise provided by are distributed to .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system monitoring logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developer

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring system hosts

- - - - - - -

Organizational processes for system monitoring

-

organizational processes for the discovery, collection, distribution, and use of indicators of compromise

-

mechanisms supporting and/or implementing a system monitoring capability

-

mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise

- - - - - Optimize Network Traffic Analysis - - - - - - - -

Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.

- - -

Encrypted traffic, asymmetric routing architectures, capacity and latency limitations, and transitioning from older to newer technologies (e.g., IPv4 to IPv6 network protocol transition) may result in blind spots for organizations when analyzing network traffic. Collecting, decrypting, pre-processing, and distributing only relevant traffic to monitoring devices can streamline the efficiency and use of devices and optimize traffic analysis.

- - - - - -

visibility into network traffic at external system interfaces is provided to optimize the effectiveness of monitoring devices;

- - - -

visibility into network traffic at key internal system interfaces is provided to optimize the effectiveness of monitoring devices.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system monitoring

-

system design documentation

-

system monitoring tools and techniques documentation

-

system configuration settings and associated documentation

-

system monitoring logs or records

-

system architecture

-

system audit records

-

network traffic reports

-

system security plan

-

other relevant documents or records

- - - - - - -

System/network administrators

-

organizational personnel with information security responsibilities

-

system developer

-

organizational personnel installing, configuring, and/or maintaining the system

-

organizational personnel responsible for monitoring system hosts

- - - - - - -

Organizational processes for system monitoring

-

organizational processes for the discovery, collection, distribution, and use of indicators of compromise

-

mechanisms supporting and/or implementing a system monitoring capability

-

mechanisms supporting and/or implementing the discovery, collection, distribution, and use of indicators of compromise

- - - - - - Security Alerts, Advisories, and Directives - - - - - -

external organizations from whom system security alerts, advisories, and directives are to be received on an ongoing basis are defined;

- - - - - - - - - - - - -

personnel or roles to whom security alerts, advisories, and directives are to be disseminated is/are defined (if selected);

- - - - - - - - -

elements within the organization to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

- - - - - - - -

external organizations to whom security alerts, advisories, and directives are to be disseminated are defined (if selected);

- - - - - - - - - - - - - - -

Receive system security alerts, advisories, and directives from on an ongoing basis;

- - - -

Generate internal security alerts, advisories, and directives as deemed necessary;

- - - -

Disseminate security alerts, advisories, and directives to: ; and

- - - -

Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance.

- - - -

The Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness throughout the Federal Government. Security directives are issued by OMB or other designated organizations with the responsibility and authority to issue such directives. Compliance with security directives is essential due to the critical nature of many of these directives and the potential (immediate) adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner. External organizations include supply chain partners, external mission or business partners, external service providers, and other peer or supporting organizations.

- - - - - -

system security alerts, advisories, and directives are received from on an ongoing basis;

- - - -

internal security alerts, advisories, and directives are generated as deemed necessary;

- - - -

security alerts, advisories, and directives are disseminated to ;

- - - -

security directives are implemented in accordance with established time frames or if the issuing organization is notified of the degree of noncompliance.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing security alerts, advisories, and directives

-

records of security alerts and advisories

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with security alert and advisory responsibilities

-

organizational personnel implementing, operating, maintaining, and using the system

-

organizational personnel, organizational elements, and/or external organizations to whom alerts, advisories, and directives are to be disseminated

-

system/network administrators

-

organizational personnel with information security responsibilities

- - - - - - -

Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives

-

mechanisms supporting and/or implementing the definition, receipt, generation, and dissemination of security alerts, advisories, and directives

-

mechanisms supporting and/or implementing security directives

- - - - Automated Alerts and Advisories - - - - - -

automated mechanisms used to broadcast security alert and advisory information throughout the organization are defined;

- - - - - - - - - -

Broadcast security alert and advisory information throughout the organization using .

- - -

The significant number of changes to organizational systems and environments of operation requires the dissemination of security-related information to a variety of organizational entities that have a direct interest in the success of organizational mission and business functions. Based on information provided by security alerts and advisories, changes may be required at one or more of the three levels related to the management of risk, including the governance level, mission and business process level, and the information system level.

- - - -

are used to broadcast security alert and advisory information throughout the organization.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing security alerts, advisories, and directives

-

system design documentation

-

system configuration settings and associated documentation

-

automated mechanisms supporting the distribution of security alert and advisory information

-

records of security alerts and advisories

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with security alert and advisory responsibilities

-

organizational personnel implementing, operating, maintaining, and using the system

-

organizational personnel, organizational elements, and/or external organizations to whom alerts and advisories are to be disseminated

-

system/network administrators

-

organizational personnel with information security responsibilities

- - - - - - -

Organizational processes for defining, receiving, generating, and disseminating security alerts and advisories

-

automated mechanisms supporting and/or implementing the dissemination of security alerts and advisories

- - - - - - Security and Privacy Function Verification - - - - - - - - - -

security functions to be verified for correct operation are defined;

- - - - - - -

privacy functions to be verified for correct operation are defined;

- - - - - - - - - - - - -

system transitional states requiring the verification of security and privacy functions are defined; (if selected)

- - - - - - - -

frequency at which to verify the correct operation of security and privacy functions is defined; (if selected)

- - - - - - - -

personnel or roles to be alerted of failed security and privacy verification tests is/are defined;

- - - - - - - - - - - - -

alternative action(s) to be performed when anomalies are discovered are defined (if selected);

- - - - - - - - - - - - - - - -

Verify the correct operation of ;

- - - -

Perform the verification of the functions specified in SI-6a ;

- - - -

Alert to failed security and privacy verification tests; and

- - - -

when anomalies are discovered.

- - - -

Transitional states for systems include system startup, restart, shutdown, and abort. System notifications include hardware indicator lights, electronic alerts to system administrators, and messages to local computer consoles. In contrast to security function verification, privacy function verification ensures that privacy functions operate as expected and are approved by the senior agency official for privacy or that privacy attributes are applied or used as expected.

- - - - - - - -

are verified to be operating correctly;

- - - -

are verified to be operating correctly;

- - - - - - -

are verified ;

- - - -

are verified ;

- - - - - - -

is/are alerted to failed security verification tests;

- - - -

is/are alerted to failed privacy verification tests;

- - - - -

is/are initiated when anomalies are discovered.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing security and privacy function verification

-

system design documentation

-

system configuration settings and associated documentation

-

alerts/notifications of failed security verification tests

-

list of system transition states requiring security functionality verification

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with security and privacy function verification responsibilities

-

organizational personnel implementing, operating, and maintaining the system

-

system/network administrators

-

organizational personnel with information security and privacy responsibilities

-

system developer

- - - - - - -

Organizational processes for security and privacy function verification

-

mechanisms supporting and/or implementing the security and privacy function verification capability

- - - - Notification of Failed Security Tests - - - - - - - - Automation Support for Distributed Testing - - - - - - - -

Implement automated mechanisms to support the management of distributed security and privacy function testing.

- - -

The use of automated mechanisms to support the management of distributed function testing helps to ensure the integrity, timeliness, completeness, and efficacy of such testing.

- - - - - -

automated mechanisms are implemented to support the management of distributed security function testing;

- - - -

automated mechanisms are implemented to support the management of distributed privacy function testing.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing security and privacy function verification

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with security and privacy function verification responsibilities

-

organizational personnel implementing, operating, and maintaining the system

-

system/network administrators

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Organizational processes for security and privacy function verification

-

automated mechanisms supporting and/or implementing the management of distributed security and privacy testing

- - - - - Report Verification Results - - - - - -

personnel or roles designated to receive the results of security and privacy function verification is/are defined;

- - - - - - - - - - - -

Report the results of security and privacy function verification to .

- - -

Organizational personnel with potential interest in the results of the verification of security and privacy functions include systems security officers, senior agency information security officers, and senior agency officials for privacy.

- - - - - -

the results of security function verification are reported to ;

- - - -

the results of privacy function verification are reported to .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing security and privacy function verification

-

system design documentation

-

system configuration settings and associated documentation

-

reports of security and privacy function verification results

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with security and privacy function verification responsibilities

-

organizational personnel who are recipients of security and privacy function verification reports

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Organizational processes for reporting security and privacy function verification results

-

mechanisms supporting and/or implementing the reporting of security and privacy function verification results

- - - - - - Software, Firmware, and Information Integrity - - - - - - - - - - - - - - - - -

software requiring integrity verification tools to be employed to detect unauthorized changes is defined;

- - - - - - -

firmware requiring integrity verification tools to be employed to detect unauthorized changes is defined;

- - - - - - -

information requiring integrity verification tools to be employed to detect unauthorized changes is defined;

- - - - - - -

actions to be taken when unauthorized changes to software are detected are defined;

- - - - - - -

actions to be taken when unauthorized changes to firmware are detected are defined;

- - - - - - -

actions to be taken when unauthorized changes to information are detected are defined;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: ; and

- - - -

Take the following actions when unauthorized changes to the software, firmware, and information are detected: .

- - - -

Unauthorized changes to software, firmware, and information can occur due to errors or malicious activity. Software includes operating systems (with key internal components, such as kernels or drivers), middleware, and applications. Firmware interfaces include Unified Extensible Firmware Interface (UEFI) and Basic Input/Output System (BIOS). Information includes personally identifiable information and metadata that contains security and privacy attributes associated with information. Integrity-checking mechanisms—including parity checks, cyclical redundancy checks, cryptographic hashes, and associated tools—can automatically monitor the integrity of systems and hosted applications.

- - - - - - - -

integrity verification tools are employed to detect unauthorized changes to ;

- - - -

integrity verification tools are employed to detect unauthorized changes to ;

- - - -

integrity verification tools are employed to detect unauthorized changes to ;

- - - - - - -

are taken when unauthorized changes to the software, are detected;

- - - -

are taken when unauthorized changes to the firmware are detected;

- - - -

are taken when unauthorized changes to the information are detected.

- - - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

personally identifiable information processing policy

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records generated or triggered by integrity verification tools regarding unauthorized software, firmware, and information changes

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security and privacy responsibilities

-

system/network administrators

- - - - - - -

Software, firmware, and information integrity verification tools

- - - - Integrity Checks - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

software on which an integrity check is to be performed is defined;

- - - - - - - - - - -

transitional states or security-relevant events requiring integrity checks (on software) are defined (if selected);

- - - - - - -

frequency with which to perform an integrity check (on software) is defined (if selected);

- - - - - - -

firmware on which an integrity check is to be performed is defined;

- - - - - - - - - - -

transitional states or security-relevant events requiring integrity checks (on firmware) are defined (if selected);

- - - - - - -

frequency with which to perform an integrity check (on firmware) is defined (if selected);

- - - - - - -

information on which an integrity check is to be performed is defined;

- - - - - - - - - - -

transitional states or security-relevant events requiring integrity checks (of information) are defined (if selected);

- - - - - - -

frequency with which to perform an integrity check (of information) is defined (if selected);

- - - - - - - - - -

Perform an integrity check of .

- - -

Security-relevant events include the identification of new threats to which organizational systems are susceptible and the installation of new hardware, software, or firmware. Transitional states include system startup, restart, shutdown, and abort.

- - - - - -

an integrity check of is performed ;

- - - -

an integrity check of is performed ;

- - - -

an integrity check of is performed .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity testing

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records of integrity scans

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

- - - - - Automated Notifications of Integrity Violations - - - - - -

personnel or roles to whom notification is to be provided upon discovering discrepancies during integrity verification is/are defined;

- - - - - - - - - -

Employ automated tools that provide notification to upon discovering discrepancies during integrity verification.

- - -

The employment of automated tools to report system and information integrity violations and to notify organizational personnel in a timely matter is essential to effective risk response. Personnel with an interest in system and information integrity violations include mission and business owners, system owners, senior agency information security official, senior agency official for privacy, system administrators, software developers, systems integrators, information security officers, and privacy officers.

- - - -

automated tools that provide notification to upon discovering discrepancies during integrity verification are employed.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

personally identifiable information processing policy

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records of integrity scans

-

automated tools supporting alerts and notifications for integrity discrepancies

-

notifications provided upon discovering discrepancies during integrity verifications

-

system audit records

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security and privacy responsibilities

-

system administrators

-

software developers

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms providing integrity discrepancy notifications

- - - - - Centrally Managed Integrity Tools - - - - - - - - - - -

Employ centrally managed integrity verification tools.

- - -

Centrally managed integrity verification tools provides greater consistency in the application of such tools and can facilitate more comprehensive coverage of integrity verification actions.

- - - -

centrally managed integrity verification tools are employed.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records of integrity scans

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for the central management of integrity verification tools

-

organizational personnel with information security responsibilities

- - - - - - -

Mechanisms supporting and/or implementing the central management of integrity verification tools

- - - - - Tamper-evident Packaging - - - - - - - - Automated Response to Integrity Violations - - - - - - - - - - -

controls to be implemented automatically when integrity violations are discovered are defined (if selected);

- - - - - - - - - -

Automatically when integrity violations are discovered.

- - -

Organizations may define different integrity-checking responses by type of information, specific information, or a combination of both. Types of information include firmware, software, and user data. Specific information includes boot firmware for certain types of machines. The automatic implementation of controls within organizational systems includes reversing the changes, halting the system, or triggering audit alerts when unauthorized modifications to critical security files occur.

- - - -

are automatically performed when integrity violations are discovered.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records of integrity scans

-

records of integrity checks and responses to integrity violations

-

audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms providing an automated response to integrity violations

-

mechanisms supporting and/or implementing security safeguards to be implemented when integrity violations are discovered

- - - - - Cryptographic Protection - - - - - - - - - -

Implement cryptographic mechanisms to detect unauthorized changes to software, firmware, and information.

- - -

Cryptographic mechanisms used to protect integrity include digital signatures and the computation and application of signed hashes using asymmetric cryptography, protecting the confidentiality of the key used to generate the hash, and using the public key to verify the hash information. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.

- - - - - -

cryptographic mechanisms are implemented to detect unauthorized changes to software;

- - - -

cryptographic mechanisms are implemented to detect unauthorized changes to firmware;

- - - -

cryptographic mechanisms are implemented to detect unauthorized changes to information.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

cryptographic mechanisms and associated documentation

-

records of detected unauthorized changes to software, firmware, and information

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

cryptographic mechanisms implementing software, firmware, and information integrity

- - - - - Integration of Detection and Response - - - - - - -

security-relevant changes to the system are defined;

- - - - - - - - - - - - - - -

Incorporate the detection of the following unauthorized changes into the organizational incident response capability: .

- - -

Integrating detection and response helps to ensure that detected events are tracked, monitored, corrected, and available for historical purposes. Maintaining historical records is important for being able to identify and discern adversary actions over an extended time period and for possible legal actions. Security-relevant changes include unauthorized changes to established configuration settings or the unauthorized elevation of system privileges.

- - - -

the detection of are incorporated into the organizational incident response capability.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

procedures addressing incident response

-

system design documentation

-

system configuration settings and associated documentation

-

incident response records

-

audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

organizational personnel with incident response responsibilities

- - - - - - -

Organizational processes for incorporating the detection of unauthorized security-relevant changes into the incident response capability

-

software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing the incorporation of detection of unauthorized security-relevant changes into the incident response capability

- - - - - Auditing Capability for Significant Events - - - - - - - - - - -

personnel or roles to be alerted upon the detection of a potential integrity violation is/are defined (if selected);

- - - - - - - -

other actions to be taken upon the detection of a potential integrity violation are defined (if selected);

- - - - - - - - - - - - -

Upon detection of a potential integrity violation, provide the capability to audit the event and initiate the following actions: .

- - -

Organizations select response actions based on types of software, specific software, or information for which there are potential integrity violations.

- - - - - -

the capability to audit an event upon the detection of a potential integrity violation is provided;

- - - -

is/are initiated upon the detection of a potential integrity violation.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records of integrity scans

-

incident response records

-

list of security-relevant changes to the system

-

automated tools supporting alerts and notifications if unauthorized security changes are detected

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing the capability to audit potential integrity violations

-

mechanisms supporting and/or implementing alerts about potential integrity violations

- - - - - Verify Boot Process - - - - - -

system components requiring integrity verification of the boot process are defined;

- - - - - - - - - - -

Verify the integrity of the boot process of the following system components: .

- - -

Ensuring the integrity of boot processes is critical to starting system components in known, trustworthy states. Integrity verification mechanisms provide a level of assurance that only trusted code is executed during boot processes.

- - - -

the integrity of the boot process of is verified.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

documentation

-

records of integrity verification scans

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing integrity verification of the boot process

- - - - - Protection of Boot Firmware - - - - - -

mechanisms to be implemented to protect the integrity of boot firmware in system components are defined;

- - - - - - - -

system components requiring mechanisms to protect the integrity of boot firmware are defined;

- - - - - - - - - - -

Implement the following mechanisms to protect the integrity of boot firmware in : .

- - -

Unauthorized modifications to boot firmware may indicate a sophisticated, targeted attack. These types of targeted attacks can result in a permanent denial of service or a persistent malicious code presence. These situations can occur if the firmware is corrupted or if the malicious code is embedded within the firmware. System components can protect the integrity of boot firmware in organizational systems by verifying the integrity and authenticity of all updates to the firmware prior to applying changes to the system component and preventing unauthorized processes from modifying the boot firmware.

- - - -

are implemented to protect the integrity of boot firmware in .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification tools and associated documentation

-

records of integrity verification scans

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing protection of the integrity of boot firmware

-

safeguards implementing protection of the integrity of boot firmware

- - - - - Confined Environments with Limited Privileges - - - - - - - - Integrity Verification - - - - - -

user-installed software requiring integrity verification prior to execution is defined;

- - - - - - - - - - - -

Require that the integrity of the following user-installed software be verified prior to execution: .

- - -

Organizations verify the integrity of user-installed software prior to execution to reduce the likelihood of executing malicious code or programs that contains errors from unauthorized modifications. Organizations consider the practicality of approaches to verifying software integrity, including the availability of trustworthy checksums from software developers and vendors.

- - - -

the integrity of is verified prior to execution.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

integrity verification records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing verification of the integrity of user-installed software prior to execution

- - - - - Code Execution in Protected Environments - - - - - - - - Binary or Machine Executable Code - - - - - - - - Code Authentication - - - - - -

software or firmware components to be authenticated by cryptographic mechanisms prior to installation are defined;

- - - - - - - - - - - - -

Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: .

- - -

Cryptographic authentication includes verifying that software or firmware components have been digitally signed using certificates recognized and approved by organizations. Code signing is an effective method to protect against malicious code. Organizations that employ cryptographic mechanisms also consider cryptographic key management solutions.

- - - -

cryptographic mechanisms are implemented to authenticate prior to installation.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software, firmware, and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

cryptographic mechanisms and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Cryptographic mechanisms authenticating software and firmware prior to installation

- - - - - Time Limit on Process Execution Without Supervision - - - - - -

the maximum time period permitted for processes to execute without supervision is defined;

- - - - - - - - - -

Prohibit processes from executing without supervision for more than .

- - -

Placing a time limit on process execution without supervision is intended to apply to processes for which typical or normal execution periods can be determined and situations in which organizations exceed such periods. Supervision includes timers on operating systems, automated responses, and manual oversight and response when system process anomalies occur.

- - - -

processes are prohibited from executing without supervision for more than .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing time limits on process execution without supervision

- - - - - Runtime Application Self-protection - - - - - -

controls to be implemented for application self-protection at runtime are defined;

- - - - - - - - - - - -

Implement for application self-protection at runtime.

- - -

Runtime application self-protection employs runtime instrumentation to detect and block the exploitation of software vulnerabilities by taking advantage of information from the software in execution. Runtime exploit prevention differs from traditional perimeter-based protections such as guards and firewalls which can only detect and block attacks by using network information without contextual awareness. Runtime application self-protection technology can reduce the susceptibility of software to attacks by monitoring its inputs and blocking those inputs that could allow attacks. It can also help protect the runtime environment from unwanted changes and tampering. When a threat is detected, runtime application self-protection technology can prevent exploitation and take other actions (e.g., sending a warning message to the user, terminating the user's session, terminating the application, or sending an alert to organizational personnel). Runtime application self-protection solutions can be deployed in either a monitor or protection mode.

- - - -

are implemented for application self-protection at runtime.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing software and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

list of known vulnerabilities addressed by runtime instrumentation

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for software, firmware, and/or information integrity

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Software, firmware, and information integrity verification tools

-

mechanisms supporting and/or implementing runtime application self-protection

- - - - - - Spam Protection - - - - - - - - - - - - - - - -

Employ spam protection mechanisms at system entry and exit points to detect and act on unsolicited messages; and

- - - -

Update spam protection mechanisms when new releases are available in accordance with organizational configuration management policy and procedures.

- - - -

System entry and exit points include firewalls, remote-access servers, electronic mail servers, web servers, proxy servers, workstations, notebook computers, and mobile devices. Spam can be transported by different means, including email, email attachments, and web accesses. Spam protection mechanisms include signature definitions.

- - - - - - - -

spam protection mechanisms are employed at system entry points to detect unsolicited messages;

- - - -

spam protection mechanisms are employed at system exit points to detect unsolicited messages;

- - - -

spam protection mechanisms are employed at system entry points to act on unsolicited messages;

- - - -

spam protection mechanisms are employed at system exit points to act on unsolicited messages;

- - - - -

spam protection mechanisms are updated when new releases are available in accordance with organizational configuration management policies and procedures.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

configuration management policies and procedures (CM-01)

-

procedures addressing spam protection

-

spam protection mechanisms

-

records of spam protection updates

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for spam protection

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for implementing spam protection

-

mechanisms supporting and/or implementing spam protection

- - - - Central Management - - - - - - - - Automatic Updates - - - - - -

the frequency at which to automatically update spam protection mechanisms is defined;

- - - - - - - - -

Automatically update spam protection mechanisms .

- - -

Using automated mechanisms to update spam protection mechanisms helps to ensure that updates occur on a regular basis and provide the latest content and protection capabilities.

- - - -

spam protection mechanisms are automatically updated .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing spam protection

-

spam protection mechanisms

-

records of spam protection updates

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for spam protection

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for spam protection

-

mechanisms supporting and/or implementing automatic updates to spam protection mechanisms

- - - - - Continuous Learning Capability - - - - - - -

Implement spam protection mechanisms with a learning capability to more effectively identify legitimate communications traffic.

- - -

Learning mechanisms include Bayesian filters that respond to user inputs that identify specific traffic as spam or legitimate by updating algorithm parameters and thereby more accurately separating types of traffic.

- - - -

spam protection mechanisms with a learning capability are implemented to more effectively identify legitimate communications traffic.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing spam protection

-

spam protection mechanisms

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for spam protection

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for spam protection

-

mechanisms supporting and/or implementing spam protection mechanisms with a learning capability

- - - - - - Information Input Restrictions - - - - - - - - - - - Information Input Validation - - - - - - - -

information inputs to the system requiring validity checks are defined;

- - - - - - - - - -

Check the validity of the following information inputs: .

- - -

Checking the valid syntax and semantics of system inputs—including character set, length, numerical range, and acceptable values—verifies that inputs match specified definitions for format and content. For example, if the organization specifies that numerical values between 1-100 are the only acceptable inputs for a field in a given application, inputs of 387, abc, or %K% are invalid inputs and are not accepted as input to the system. Valid inputs are likely to vary from field to field within a software application. Applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the corrupted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing them to interpreters prevents the content from being unintentionally interpreted as commands. Input validation ensures accurate and correct inputs and prevents attacks such as cross-site scripting and a variety of injection attacks.

- - - -

the validity of the is checked.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

access control policy and procedures

-

separation of duties policy and procedures

-

procedures addressing information input validation

-

documentation for automated tools and applications to verify the validity of information

-

list of information inputs requiring validity checks

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Mechanisms supporting and/or implementing validity checks on information inputs

- - - - Manual Override Capability - - - - - -

authorized individuals who can use the manual override capability are defined;

- - - - - - - - - - - - - - - -

Provide a manual override capability for input validation of the following information inputs: ;

- - - -

Restrict the use of the manual override capability to only ; and

- - - -

Audit the use of the manual override capability.

- - - -

In certain situations, such as during events that are defined in contingency plans, a manual override capability for input validation may be needed. Manual overrides are used only in limited circumstances and with the inputs defined by the organization.

- - - - - -

a manual override capability for the validation of is provided;

- - - -

the use of the manual override capability is restricted to only ;

- - - -

the use of the manual override capability is audited.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

access control policy and procedures

-

separation of duties policy and procedures

-

procedures addressing information input validation

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for the use of a manual override capability

-

mechanisms supporting and/or implementing a manual override capability for input validation

-

mechanisms supporting and/or implementing auditing of the use of a manual override capability

- - - - - Review and Resolve Errors - - - - - - - - - -

the time period within which input validation errors are to be reviewed is defined;

- - - - - - -

the time period within which input validation errors are to be resolved is defined;

- - - - - - - - - -

Review and resolve input validation errors within .

- - -

Resolution of input validation errors includes correcting systemic causes of errors and resubmitting transactions with corrected input. Input validation errors are those related to the information inputs defined by the organization in the base control ( SI-10).

- - - - - -

input validation errors are reviewed within ;

- - - -

input validation errors are resolved within .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing information input validation

-

system design documentation

-

system configuration settings and associated documentation

-

review records of information input validation errors and resulting resolutions

-

information input validation error logs or records

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

- - - - - - -

Organizational processes for the review and resolution of input validation errors

-

mechanisms supporting and/or implementing the review and resolution of input validation errors

- - - - - Predictable Behavior - - - - - - - - -

Verify that the system behaves in a predictable and documented manner when invalid inputs are received.

- - -

A common vulnerability in organizational systems is unpredictable behavior when invalid inputs are received. Verification of system predictability helps ensure that the system behaves as expected when invalid inputs are received. This occurs by specifying system responses that allow the system to transition to known states without adverse, unintended side effects. The invalid inputs are those related to the information inputs defined by the organization in the base control ( SI-10).

- - - - - -

the system behaves in a predictable manner when invalid inputs are received;

- - - -

the system behaves in a documented manner when invalid inputs are received.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing information input validation

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Automated mechanisms supporting and/or implementing predictable behavior when invalid inputs are received

- - - - - Timing Interactions - - - - - - - -

Account for timing interactions among system components in determining appropriate responses for invalid inputs.

- - -

In addressing invalid system inputs received across protocol interfaces, timing interactions become relevant, where one protocol needs to consider the impact of the error response on other protocols in the protocol stack. For example, 802.11 standard wireless network protocols do not interact well with Transmission Control Protocols (TCP) when packets are dropped (which could be due to invalid packet input). TCP assumes packet losses are due to congestion, while packets lost over 802.11 links are typically dropped due to noise or collisions on the link. If TCP makes a congestion response, it takes the wrong action in response to a collision event. Adversaries may be able to use what appear to be acceptable individual behaviors of the protocols in concert to achieve adverse effects through suitable construction of invalid input. The invalid inputs are those related to the information inputs defined by the organization in the base control ( SI-10).

- - - -

timing interactions among system components are accounted for in determining appropriate responses for invalid inputs.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing information input validation

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for determining appropriate responses to invalid inputs

-

automated mechanisms supporting and/or implementing responses to invalid inputs

- - - - - Restrict Inputs to Trusted Sources and Approved Formats - - - - - -

trusted sources to which the use of information inputs is to be restricted are defined;

- - - - - - - -

formats to which the use of information inputs is to be restricted are defined;

- - - - - - - - - - - -

Restrict the use of information inputs to and/or .

- - -

Restricting the use of inputs to trusted sources and in trusted formats applies the concept of authorized or permitted software to information inputs. Specifying known trusted sources for information inputs and acceptable formats for such inputs can reduce the probability of malicious activity. The information inputs are those defined by the organization in the base control ( SI-10).

- - - -

the use of information inputs is restricted to and/or .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing information input validation

-

system design documentation

-

system configuration settings and associated documentation

-

list of trusted sources for information inputs

-

list of acceptable formats for input restrictions

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for restricting information inputs

-

automated mechanisms supporting and/or implementing restriction of information inputs

- - - - - Injection Prevention - - - - - - - - - -

Prevent untrusted data injections.

- - -

Untrusted data injections may be prevented using a parameterized interface or output escaping (output encoding). Parameterized interfaces separate data from code so that injections of malicious or unintended data cannot change the semantics of commands being sent. Output escaping uses specified characters to inform the interpreter’s parser whether data is trusted. Prevention of untrusted data injections are with respect to the information inputs defined by the organization in the base control ( SI-10).

- - - -

untrusted data injections are prevented.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing information input validation

-

system design documentation

-

system configuration settings and associated documentation

-

list of trusted sources for information inputs

-

list of acceptable formats for input restrictions

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for preventing untrusted data injections

-

automated mechanisms supporting and/or implementing injection prevention

- - - - - - Error Handling - - - - - -

personnel or roles to whom error messages are to be revealed is/are defined;

- - - - - - - - - - - - - - -

Generate error messages that provide information necessary for corrective actions without revealing information that could be exploited; and

- - - -

Reveal error messages only to .

- - - -

Organizations consider the structure and content of error messages. The extent to which systems can handle error conditions is guided and informed by organizational policy and operational requirements. Exploitable information includes stack traces and implementation details; erroneous logon attempts with passwords mistakenly entered as the username; mission or business information that can be derived from, if not stated explicitly by, the information recorded; and personally identifiable information, such as account numbers, social security numbers, and credit card numbers. Error messages may also provide a covert channel for transmitting information.

- - - - - -

error messages that provide the information necessary for corrective actions are generated without revealing information that could be exploited;

- - - -

error messages are revealed only to .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing system error handling

-

system design documentation

-

system configuration settings and associated documentation

-

documentation providing the structure and content of error messages

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for information input validation

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for error handling

-

automated mechanisms supporting and/or implementing error handling

-

automated mechanisms supporting and/or implementing the management of error messages

- - - - - Information Management and Retention - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

- - -

Information management and retention requirements cover the full life cycle of information, in some cases extending beyond system disposal. Information to be retained may also include policies, procedures, plans, reports, data output from control implementation, and other types of administrative information. The National Archives and Records Administration (NARA) provides federal policy and guidance on records retention and schedules. If organizations have a records management office, consider coordinating with records management personnel. Records produced from the output of implemented controls that may require management and retention include, but are not limited to: All XX-1, AC-6(9), AT-4, AU-12, CA-2, CA-3, CA-5, CA-6, CA-7, CA-8, CA-9, CM-2, CM-3, CM-4, CM-6, CM-8, CM-9, CM-12, CM-13, CP-2, IR-6, IR-8, MA-2, MA-4, PE-2, PE-8, PE-16, PE-17, PL-2, PL-4, PL-7, PL-8, PM-5, PM-8, PM-9, PM-18, PM-21, PM-27, PM-28, PM-30, PM-31, PS-2, PS-6, PS-7, PT-2, PT-3, PT-7, RA-2, RA-3, RA-5, RA-8, SA-4, SA-5, SA-8, SA-10, SI-4, SR-2, SR-4, SR-8.

- - - - - -

information within the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

- - - -

information within the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

- - - -

information output from the system is managed in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements;

- - - -

information output from the system is retained in accordance with applicable laws, Executive Orders, directives, regulations, policies, standards, guidelines, and operational requirements.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

records retention and disposition policy

-

records retention and disposition procedures

-

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information management and retention

-

media protection policy

-

media protection procedures

-

audit findings

-

system security plan

-

privacy plan

-

privacy program plan

-

personally identifiable information inventory

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel with information and records management, retention, and disposition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

network administrators

- - - - - - -

Organizational processes for information management, retention, and disposition

-

automated mechanisms supporting and/or implementing information management, retention, and disposition

- - - - Limit Personally Identifiable Information Elements - - - - - -

elements of personally identifiable information being processed in the information life cycle are defined;

- - - - - - - - - -

Limit personally identifiable information being processed in the information life cycle to the following elements of personally identifiable information: .

- - -

Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for operational purposes helps to reduce the level of privacy risk created by a system. The information life cycle includes information creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposition. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining which elements of personally identifiable information may create risk.

- - - -

personally identifiable information being processed in the information life cycle is limited to .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

personally identifiable information processing procedures

-

records retention and disposition policy

-

records retention and disposition procedures

-

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to limiting personally identifiable information elements

-

personally identifiable information inventory

-

system audit records

-

audit findings

-

system security plan

-

privacy plan

-

privacy program plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

data mapping documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel with information and records management, retention, and disposition responsibilities

-

organizational personnel with security and privacy responsibilities

-

network administrators

- - - - - - -

Organizational processes for information management and retention (including limiting personally identifiable information processing)

-

automated mechanisms supporting and/or implementing limits to personally identifiable information processing

- - - - - Minimize Personally Identifiable Information in Testing, Training, and Research - - - - - - - - - - -

techniques used to minimize the use of personally identifiable information for research are defined;

- - - - - - -

techniques used to minimize the use of personally identifiable information for testing are defined;

- - - - - - -

techniques used to minimize the use of personally identifiable information for training are defined;

- - - - - - - - - - - -

Use the following techniques to minimize the use of personally identifiable information for research, testing, or training: .

- - -

Organizations can minimize the risk to an individual’s privacy by employing techniques such as de-identification or synthetic data. Limiting the use of personally identifiable information throughout the information life cycle when the information is not needed for research, testing, or training helps reduce the level of privacy risk created by a system. Risk assessments as well as applicable laws, regulations, and policies can provide useful inputs to determining the techniques to use and when to use them.

- - - - - -

are used to minimize the use of personally identifiable information for research;

- - - -

are used to minimize the use of personally identifiable information for testing;

- - - -

are used to minimize the use of personally identifiable information for training.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

personally identifiable information processing procedures

-

federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to minimizing the use of personally identifiable information in testing, training, and research

-

policy for the minimization of personally identifiable information used in testing, training, and research

-

procedures for the minimization of personally identifiable information used in testing, training, and research

-

documentation supporting minimization policy implementation (e.g., templates for testing, training, and research)

-

data sets used for testing, training, and research

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel with information and records management, retention, and disposition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

network administrators

-

system developers

-

personnel with IRB responsibilities

- - - - - - -

Organizational processes for the minimization of personally identifiable information used in testing, training, and research

-

automated mechanisms supporting and/or implementing the minimization of personally identifiable information used in testing, training, and research

- - - - - Information Disposal - - - - - - - - - - -

techniques used to dispose of information following the retention period are defined;

- - - - - - -

techniques used to destroy information following the retention period are defined;

- - - - - - -

techniques used to erase information following the retention period are defined;

- - - - - - - - -

Use the following techniques to dispose of, destroy, or erase information following the retention period: .

- - -

Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.

- - - - - -

are used to dispose of information following the retention period;

- - - -

are used to destroy information following the retention period;

- - - -

are used to erase information following the retention period.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

personally identifiable information processing procedures

-

records retention and disposition policy

-

records retention and disposition procedures

-

laws, Executive Orders, directives, policies, regulations, standards, and operational requirements applicable to information disposal

-

media protection policy

-

media protection procedures

-

system audit records

-

audit findings

-

information disposal records

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel with information and records management, retention, and disposition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

network administrators

- - - - - - -

Organizational processes for information disposition

-

automated mechanisms supporting and/or implementing information disposition

- - - - - - Predictable Failure Prevention - - - - - -

system components for which mean time to failure (MTTF) should be determined are defined;

- - - - - - - - -

mean time to failure (MTTF) substitution criteria to be used as a means to exchange active and standby components are defined;

- - - - - - - - - - - - - - - - - -

Determine mean time to failure (MTTF) for the following system components in specific environments of operation: ; and

- - - -

Provide substitute system components and a means to exchange active and standby components in accordance with the following criteria: .

- - - -

While MTTF is primarily a reliability issue, predictable failure prevention is intended to address potential failures of system components that provide security capabilities. Failure rates reflect installation-specific consideration rather than the industry-average. Organizations define the criteria for the substitution of system components based on the MTTF value with consideration for the potential harm from component failures. The transfer of responsibilities between active and standby components does not compromise safety, operational readiness, or security capabilities. The preservation of system state variables is also critical to help ensure a successful transfer process. Standby components remain available at all times except for maintenance issues or recovery failures in progress.

- - - - - -

mean time to failure (MTTF) is determined for in specific environments of operation;

- - - -

substitute system components and a means to exchange active and standby components are provided in accordance with .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing predictable failure prevention

-

system design documentation

-

system configuration settings and associated documentation

-

list of MTTF substitution criteria

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for MTTF determinations and activities

-

organizational personnel with information security responsibilities

-

system/network administrators

-

organizational personnel with contingency planning responsibilities

- - - - - - -

Organizational processes for managing MTTF

- - - - Transferring Component Responsibilities - - - - - -

the fraction or percentage of mean time to failure within which to transfer the responsibilities of a system component to a substitute component is defined;

- - - - - - - - - -

Take system components out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

- - -

Transferring primary system component responsibilities to other substitute components prior to primary component failure is important to reduce the risk of degraded or debilitated mission or business functions. Making such transfers based on a percentage of mean time to failure allows organizations to be proactive based on their risk tolerance. However, the premature replacement of system components can result in the increased cost of system operations.

- - - -

system components are taken out of service by transferring component responsibilities to substitute components no later than of mean time to failure.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing predictable failure prevention

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for MTTF activities

-

organizational personnel with information security responsibilities

-

system/network administrators

-

organizational personnel with contingency planning responsibilities

- - - - - - -

Organizational processes for managing MTTF

-

automated mechanisms supporting and/or implementing the transfer of component responsibilities to substitute components

- - - - - Time Limit on Process Execution Without Supervision - - - - - - - - Manual Transfer Between Components - - - - - -

the percentage of the mean time to failure for transfers to be manually initiated is defined;

- - - - - - - - - -

Manually initiate transfers between active and standby system components when the use of the active component reaches of the mean time to failure.

- - -

For example, if the MTTF for a system component is 100 days and the MTTF percentage defined by the organization is 90 percent, the manual transfer would occur after 90 days.

- - - -

transfers are initiated manually between active and standby system components when the use of the active component reaches of the mean time to failure.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing predictable failure prevention

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for MTTF activities

-

organizational personnel with information security responsibilities

-

system/network administrators

-

organizational personnel with contingency planning responsibilities

- - - - - - -

Organizational processes for managing MTTF and conducting the manual transfer between active and standby components

- - - - - Standby Component Installation and Notification - - - - - -

time period for standby components to be installed is defined;

- - - - - - - - - - - - -

alarm to be activated when system component failures are detected is defined (if selected);

- - - - - - - -

action to be taken when system component failures are detected is defined (if selected);

- - - - - - - - - - -

If system component failures are detected:

- - -

Ensure that the standby components are successfully and transparently installed within ; and

- - - -

.

- - - -

Automatic or manual transfer of components from standby to active mode can occur upon the detection of component failures.

- - - - - -

the standby components are successfully and transparently installed within if system component failures are detected;

- - - -

are performed if system component failures are detected.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing predictable failure prevention

-

system design documentation

-

system configuration settings and associated documentation

-

list of actions to be taken once system component failure is detected

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for MTTF activities

-

organizational personnel with information security responsibilities

-

system/network administrators

-

organizational personnel with contingency planning responsibilities

- - - - - - -

Organizational processes for managing MTTF

-

automated mechanisms supporting and/or implementing the transparent installation of standby components

-

automated mechanisms supporting and/or implementing alarms or system shutdown if component failures are detected

- - - - - Failover Capability - - - - - - - - - - -

a failover capability for the system has been defined;

- - - - - - - - - - - - -

Provide for the system.

- - -

Failover refers to the automatic switchover to an alternate system upon the failure of the primary system. Failover capability includes incorporating mirrored system operations at alternate processing sites or periodic data mirroring at regular intervals defined by the recovery time periods of organizations.

- - - -

is provided for the system.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing predictable failure prevention

-

system design documentation

-

system configuration settings and associated documentation

-

documentation describing the failover capability provided for the system

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for the failover capability

-

organizational personnel with information security responsibilities

-

system/network administrators

-

organizational personnel with contingency planning responsibilities

- - - - - - -

Organizational processes for managing the failover capability

-

automated mechanisms supporting and/or implementing the failover capability

- - - - - - Non-persistence - - - - - -

non-persistent system components and services to be implemented are defined;

- - - - - - - - - - - - -

the frequency at which to terminate non-persistent components and services that are initiated in a known state is defined (if selected);

- - - - - - - - - - - -

Implement non-persistent that are initiated in a known state and terminated .

- - -

Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems.

-

Non-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities.

- - - - - -

non-persistent that are initiated in a known state are implemented;

- - - -

non-persistent are terminated .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing non-persistence for system components

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for non-persistence

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Automated mechanisms supporting and/or implementing the initiation and termination of non-persistent components

- - - - Refresh from Trusted Sources - - - - - -

trusted sources to obtain software and data for system component and service refreshes are defined;

- - - - - - - - - -

Obtain software and data employed during system component and service refreshes from the following trusted sources: .

- - -

Trusted sources include software and data from write-once, read-only media or from selected offline secure storage facilities.

- - - -

the software and data employed during system component and service refreshes are obtained from .

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing non-persistence for system components

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for obtaining component and service refreshes from trusted sources

-

organizational personnel with information security responsibilities

- - - - - - -

Organizational processes for defining and obtaining component and service refreshes from trusted sources

-

automated mechanisms supporting and/or implementing component and service refreshes

- - - - - Non-persistent Information - - - - - - - - - - -

the information to be refreshed is defined (if selected);

- - - - - - - -

the frequency at which to refresh information is defined (if selected);

- - - - - - - -

the information to be generated is defined (if selected);

- - - - - - - - - - - -

; and

- - - -

Delete information when no longer needed.

- - - -

Retaining information longer than is needed makes the information a potential target for advanced adversaries searching for high value assets to compromise through unauthorized disclosure, unauthorized modification, or exfiltration. For system-related information, unnecessary retention provides advanced adversaries information that can assist in their reconnaissance and lateral movement through the system.

- - - - - -

is performed;

- - - -

information is deleted when no longer needed.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing non-persistence for system components

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for ensuring that information is and remains non-persistent

-

organizational personnel with information security responsibilities

- - - - - - -

Organizational processes for ensuring that information is and remains non-persistent

-

automated mechanisms supporting and/or implementing component and service refreshes

- - - - - Non-persistent Connectivity - - - - - - - - - - - - - -

Establish connections to the system on demand and terminate connections after .

- - -

Persistent connections to systems can provide advanced adversaries with paths to move laterally through systems and potentially position themselves closer to high value assets. Limiting the availability of such connections impedes the adversary’s ability to move freely through organizational systems.

- - - - - -

connections to the system are established on demand;

- - - -

connections to the system are terminated after .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing non-persistence for system components

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for limiting persistent connections

-

organizational personnel with information security responsibilities

- - - - - - -

Organizational processes for limiting persistent connections

-

automated mechanisms supporting and/or implementing non-persistent connectivity

- - - - - - Information Output Filtering - - - - - -

software programs and/or applications whose information output requires validation are defined;

- - - - - - - - - - - -

Validate information output from the following software programs and/or applications to ensure that the information is consistent with the expected content: .

- - -

Certain types of attacks, including SQL injections, produce output results that are unexpected or inconsistent with the output results that would be expected from software programs or applications. Information output filtering focuses on detecting extraneous content, preventing such extraneous content from being displayed, and then alerting monitoring tools that anomalous behavior has been discovered.

- - - -

information output from is validated to ensure that the information is consistent with the expected content.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing information output filtering

-

system design documentation

-

system configuration settings and associated documentation

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for validating information output

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational processes for validating information output

-

automated mechanisms supporting and/or implementing information output validation

- - - - - Memory Protection - - - - - -

controls to be implemented to protect the system memory from unauthorized code execution are defined;

- - - - - - - - - - - -

Implement the following controls to protect the system memory from unauthorized code execution: .

- - -

Some adversaries launch attacks with the intent of executing code in non-executable regions of memory or in memory locations that are prohibited. Controls employed to protect memory include data execution prevention and address space layout randomization. Data execution prevention controls can either be hardware-enforced or software-enforced with hardware enforcement providing the greater strength of mechanism.

- - - -

are implemented to protect the system memory from unauthorized code execution.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

procedures addressing memory protection for the system

-

system design documentation

-

system configuration settings and associated documentation

-

list of security safeguards protecting system memory from unauthorized code execution

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for memory protection

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Automated mechanisms supporting and/or implementing safeguards to protect the system memory from unauthorized code execution

- - - - - Fail-safe Procedures - - - - - - - - - -

fail-safe procedures associated with failure conditions are defined;

- - - - - - -

a list of failure conditions requiring fail-safe procedures is defined;

- - - - - - - - - - - - -

Implement the indicated fail-safe procedures when the indicated failures occur: .

- - -

Failure conditions include the loss of communications among critical system components or between system components and operational facilities. Fail-safe procedures include alerting operator personnel and providing specific instructions on subsequent steps to take. Subsequent steps may include doing nothing, reestablishing system settings, shutting down processes, restarting the system, or contacting designated organizational personnel.

- - - -

are implemented when occur.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

documentation addressing fail-safe procedures for the system

-

system design documentation

-

system configuration settings and associated documentation

-

list of security safeguards protecting the system memory from unauthorized code execution

-

system audit records

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for fail-safe procedures

-

organizational personnel with information security responsibilities

-

system/network administrators

-

system developer

- - - - - - -

Organizational fail-safe procedures

-

automated mechanisms supporting and/or implementing fail-safe procedures

- - - - - Personally Identifiable Information Quality Operations - - - - - - - - - - - -

the frequency at which to check the accuracy of personally identifiable information across the information life cycle is defined;

- - - - - - -

the frequency at which to check the relevance of personally identifiable information across the information life cycle is defined;

- - - - - - -

the frequency at which to check the timeliness of personally identifiable information across the information life cycle is defined;

- - - - - - -

the frequency at which to check the completeness of personally identifiable information across the information life cycle is defined;

- - - - - - - - - - - - - - - - - -

Check the accuracy, relevance, timeliness, and completeness of personally identifiable information across the information life cycle ; and

- - - -

Correct or delete inaccurate or outdated personally identifiable information.

- - - -

Personally identifiable information quality operations include the steps that organizations take to confirm the accuracy and relevance of personally identifiable information throughout the information life cycle. The information life cycle includes the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information. Personally identifiable information quality operations include editing and validating addresses as they are collected or entered into systems using automated address verification look-up application programming interfaces. Checking personally identifiable information quality includes the tracking of updates or changes to data over time, which enables organizations to know how and what personally identifiable information was changed should erroneous information be identified. The measures taken to protect personally identifiable information quality are based on the nature and context of the personally identifiable information, how it is to be used, how it was obtained, and the potential de-identification methods employed. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals covered under federal programs may be more comprehensive than the measures used to validate personally identifiable information used for less sensitive purposes.

- - - - - - - -

the accuracy of personally identifiable information across the information life cycle is checked ;

- - - -

the relevance of personally identifiable information across the information life cycle is checked ;

- - - -

the timeliness of personally identifiable information across the information life cycle is checked ;

- - - -

the completeness of personally identifiable information across the information life cycle is checked ;

- - - - -

inaccurate or outdated personally identifiable information is corrected or deleted.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

documentation addressing personally identifiable information quality operations

-

quality reports

-

maintenance logs

-

system audit records

-

audit findings

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for performing personally identifiable information quality inspections

-

organizational personnel with information security responsibilities

-

organizational personnel with privacy responsibilities

- - - - - - -

Organizational processes for personally identifiable information quality inspection

-

automated mechanisms supporting and/or implementing personally identifiable information quality operations

- - - - Automation Support - - - - - -

automated mechanisms used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified are defined;

- - - - - - - - - - - -

Correct or delete personally identifiable information that is inaccurate or outdated, incorrectly determined regarding impact, or incorrectly de-identified using .

- - -

The use of automated mechanisms to improve data quality may inadvertently create privacy risks. Automated tools may connect to external or otherwise unrelated systems, and the matching of records between these systems may create linkages with unintended consequences. Organizations assess and document these risks in their privacy impact assessments and make determinations that are in alignment with their privacy program plans.

-

As data is obtained and used across the information life cycle, it is important to confirm the accuracy and relevance of personally identifiable information. Automated mechanisms can augment existing data quality processes and procedures and enable an organization to better identify and manage personally identifiable information in large-scale systems. For example, automated tools can greatly improve efforts to consistently normalize data or identify malformed data. Automated tools can also be used to improve the auditing of data and detect errors that may incorrectly alter personally identifiable information or incorrectly associate such information with the wrong individual. Automated capabilities backstop processes and procedures at-scale and enable more fine-grained detection and correction of data quality errors.

- - - -

are used to correct or delete personally identifiable information that is inaccurate, outdated, incorrectly determined regarding impact, or incorrectly de-identified.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

documentation addressing personally identifiable information quality operations

-

quality reports

-

maintenance logs

-

system audit records

-

audit findings

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for performing personally identifiable information quality inspections

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Organizational processes for personally identifiable information quality inspection

-

automated mechanisms supporting and/or implementing personally identifiable information quality operations

- - - - - Data Tags - - - - - - - - - - -

Employ data tags to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.

- - -

Data tagging personally identifiable information includes tags that note processing permissions, authority to process, de-identification, impact level, information life cycle stage, and retention or last updated dates. Employing data tags for personally identifiable information can support the use of automation tools to correct or delete relevant personally identifiable information.

- - - -

data tags are employed to automate the correction or deletion of personally identifiable information across the information life cycle within organizational systems.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

procedures addressing data tagging

-

personally identifiable information inventory

-

system audit records

-

audit findings

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for tagging data

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Data tagging mechanisms

-

automated mechanisms supporting and/or implementing data tagging

- - - - - Collection - - - - - - - -

Collect personally identifiable information directly from the individual.

- - -

Individuals or their designated representatives can be sources of correct personally identifiable information. Organizations consider contextual factors that may incentivize individuals to provide correct data versus false data. Additional steps may be necessary to validate collected information based on the nature and context of the personally identifiable information, how it is to be used, and how it was obtained. The measures taken to validate the accuracy of personally identifiable information used to make determinations about the rights, benefits, or privileges of individuals under federal programs may be more comprehensive than the measures taken to validate less sensitive personally identifiable information.

- - - -

personally identifiable information is collected directly from the individual.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

system configuration documentation

-

system audit records

-

user interface where personally identifiable information is collected

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for data collection

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Data collection mechanisms

-

automated mechanisms supporting and/or validating collection directly from the individual

- - - - - Individual Requests - - - - - - - -

Correct or delete personally identifiable information upon request by individuals or their designated representatives.

- - -

Inaccurate personally identifiable information maintained by organizations may cause problems for individuals, especially in those business functions where inaccurate information may result in inappropriate decisions or the denial of benefits and services to individuals. Even correct information, in certain circumstances, can cause problems for individuals that outweigh the benefits of an organization maintaining the information. Organizations use discretion when determining if personally identifiable information is to be corrected or deleted based on the scope of requests, the changes sought, the impact of the changes, and laws, regulations, and policies. Organizational personnel consult with the senior agency official for privacy and legal counsel regarding appropriate instances of correction or deletion.

- - - -

personally identifiable information is corrected or deleted upon request by individuals or their designated representatives.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

system configuration

-

individual requests

-

records of correction or deletion actions performed

-

system audit records

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for responding to individual requests for personally identifiable information correction or deletion

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Request mechanisms

-

automated mechanisms supporting and/or implementing individual requests for correction or deletion

- - - - - Notice of Correction or Deletion - - - - - - -

recipients of personally identifiable information to be notified when the personally identifiable information has been corrected or deleted are defined;

- - - - - - - - - -

Notify and individuals that the personally identifiable information has been corrected or deleted.

- - -

When personally identifiable information is corrected or deleted, organizations take steps to ensure that all authorized recipients of such information, and the individual with whom the information is associated or their designated representatives, are informed of the corrected or deleted information.

- - - -

and individuals are notified when the personally identifiable information has been corrected or deleted.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

system configuration

-

individual requests for corrections or deletions

-

notifications of correction or deletion action

-

system audit records

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for sending correction or deletion notices

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Organizational processes for notifications of correction or deletion

-

automated mechanisms supporting and/or implementing notifications of correction or deletion

- - - - - - De-identification - - - - - - -

elements of personally identifiable information to be removed from datasets are defined;

- - - - - - - -

the frequency at which to evaluate the effectiveness of de-identification is defined;

- - - - - - - - - - - - - - - - - - -

Remove the following elements of personally identifiable information from datasets: ; and

- - - -

Evaluate for effectiveness of de-identification.

- - - -

De-identification is the general term for the process of removing the association between a set of identifying data and the data subject. Many datasets contain information about individuals that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records. Datasets may also contain other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Personally identifiable information is removed from datasets by trained individuals when such information is not (or no longer) necessary to satisfy the requirements envisioned for the data. For example, if the dataset is only used to produce aggregate statistics, the identifiers that are not needed for producing those statistics are removed. Removing identifiers improves privacy protection since information that is removed cannot be inadvertently disclosed or improperly used. Organizations may be subject to specific de-identification definitions or methods under applicable laws, regulations, or policies. Re-identification is a residual risk with de-identified data. Re-identification attacks can vary, including combining new datasets or other improvements in data analytics. Maintaining awareness of potential attacks and evaluating for the effectiveness of the de-identification over time support the management of this residual risk.

- - - - - -

are removed from datasets;

- - - -

the effectiveness of de-identification is evaluated .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration

-

datasets with personally identifiable information removed

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for identifying unnecessary identifiers

-

organizational personnel responsible for removing personally identifiable information from datasets

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms supporting and/or implementing the removal of personally identifiable information elements

- - - - Collection - - - - - - - -

De-identify the dataset upon collection by not collecting personally identifiable information.

- - -

If a data source contains personally identifiable information but the information will not be used, the dataset can be de-identified when it is created by not collecting the data elements that contain the personally identifiable information. For example, if an organization does not intend to use the social security number of an applicant, then application forms do not ask for a social security number.

- - - -

the dataset is de-identified upon collection by not collecting personally identifiable information.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

procedures for minimizing the collection of personally identifiable information

-

system configuration

-

data collection mechanisms

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms preventing the collection of personally identifiable information

- - - - - Archiving - - - - - - - -

Prohibit archiving of personally identifiable information elements if those elements in a dataset will not be needed after the dataset is archived.

- - -

Datasets can be archived for many reasons. The envisioned purposes for the archived dataset are specified, and if personally identifiable information elements are not required, the elements are not archived. For example, social security numbers may have been collected for record linkage, but the archived dataset may include the required elements from the linked records. In this case, it is not necessary to archive the social security numbers.

- - - -

the archiving of personally identifiable information elements is prohibited if those elements in a dataset will not be needed after the dataset is archived.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration documentation

-

data archiving mechanisms

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with dataset archival responsibilities

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms prohibiting the archival of personally identifiable information elements

- - - - - Release - - - - - - - -

Remove personally identifiable information elements from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.

- - -

Prior to releasing a dataset, a data custodian considers the intended uses of the dataset and determines if it is necessary to release personally identifiable information. If the personally identifiable information is not necessary, the information can be removed using de-identification techniques.

- - - -

personally identifiable information elements are removed from a dataset prior to its release if those elements in the dataset do not need to be part of the data release.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

procedures for minimizing the release of personally identifiable information

-

system configuration

-

data release mechanisms

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms supporting and/or implementing the removal of personally identifiable information elements from a dataset

- - - - - Removal, Masking, Encryption, Hashing, or Replacement of Direct Identifiers - - - - - - - - -

Remove, mask, encrypt, hash, or replace direct identifiers in a dataset.

- - -

There are many possible processes for removing direct identifiers from a dataset. Columns in a dataset that contain a direct identifier can be removed. In masking, the direct identifier is transformed into a repeating character, such as XXXXXX or 999999. Identifiers can be encrypted or hashed so that the linked records remain linked. In the case of encryption or hashing, algorithms are employed that require the use of a key, including the Advanced Encryption Standard or a Hash-based Message Authentication Code. Implementations may use the same key for all identifiers or use a different key for each identifier. Using a different key for each identifier provides a higher degree of security and privacy. Identifiers can alternatively be replaced with a keyword, including transforming George Washington to PATIENT or replacing it with a surrogate value, such as transforming George Washington to Abraham Polk.

- - - -

direct identifiers in a dataset are removed, masked, encrypted, hashed, or replaced.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration

-

documentation of de-identified datasets

-

tools for the removal, masking, encryption, hashing or replacement of direct identifiers

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms supporting and/or implementing the removal, masking, encryption, hashing or replacement of direct identifiers

- - - - - Statistical Disclosure Control - - - - - - - -

Manipulate numerical data, contingency tables, and statistical findings so that no individual or organization is identifiable in the results of the analysis.

- - -

Many types of statistical analyses can result in the disclosure of information about individuals even if only summary information is provided. For example, if a school that publishes a monthly table with the number of minority students enrolled, reports that it has 10-19 such students in January, and subsequently reports that it has 20-29 such students in March, then it can be inferred that the student who enrolled in February was a minority.

- - - - - -

numerical data is manipulated so that no individual or organization is identifiable in the results of the analysis;

- - - -

contingency tables are manipulated so that no individual or organization is identifiable in the results of the analysis;

- - - -

statistical findings are manipulated so that no individual or organization is identifiable in the results of the analysis.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration

-

de-identified datasets

-

statistical analysis report

-

tools for the control of statistical disclosure

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms supporting and/or implementing the control of statistical disclosure

- - - - - Differential Privacy - - - - - - - - - -

Prevent disclosure of personally identifiable information by adding non-deterministic noise to the results of mathematical operations before the results are reported.

- - -

The mathematical definition for differential privacy holds that the result of a dataset analysis should be approximately the same before and after the addition or removal of a single data record (which is assumed to be the data from a single individual). In its most basic form, differential privacy applies only to online query systems. However, it can also be used to produce machine-learning statistical classifiers and synthetic data. Differential privacy comes at the cost of decreased accuracy of results, forcing organizations to quantify the trade-off between privacy protection and the overall accuracy, usefulness, and utility of the de-identified dataset. Non-deterministic noise can include adding small, random values to the results of mathematical operations in dataset analysis.

- - - -

the disclosure of personally identifiable information is prevented by adding non-deterministic noise to the results of mathematical operations before the results are reported.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration

-

de-identified datasets

-

differential privacy tools

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Online query systems

-

automated mechanisms supporting and/or implementing differential privacy

- - - - - Validated Algorithms and Software - - - - - - -

Perform de-identification using validated algorithms and software that is validated to implement the algorithms.

- - -

Algorithms that appear to remove personally identifiable information from a dataset may in fact leave information that is personally identifiable or data that is re-identifiable. Software that is claimed to implement a validated algorithm may contain bugs or implement a different algorithm. Software may de-identify one type of data, such as integers, but not de-identify another type of data, such as floating point numbers. For these reasons, de-identification is performed using algorithms and software that are validated.

- - - - - -

de-identification is performed using validated algorithms;

- - - -

de-identification is performed using software that is validated to implement the algorithms.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration

-

de-identified datasets

-

algorithm and software validation tools

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Validated algorithms and software

- - - - - Motivated Intruder - - - - - - - -

Perform a motivated intruder test on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.

- - -

A motivated intruder test is a test in which an individual or group takes a data release and specified resources and attempts to re-identify one or more individuals in the de-identified dataset. Such tests specify the amount of inside knowledge, computational resources, financial resources, data, and skills that intruders possess to conduct the tests. A motivated intruder test can determine if the de-identification is insufficient. It can also be a useful diagnostic tool to assess if de-identification is likely to be sufficient. However, the test alone cannot prove that de-identification is sufficient.

- - - -

a motivated intruder test is performed on the de-identified dataset to determine if the identified data remains or if the de-identified data can be re-identified.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

de-identification procedures

-

system configuration

-

motivated intruder test procedures

-

de-identified datasets

-

system security plan

-

privacy plan

-

privacy impact assessment

-

privacy risk assessment documentation

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for de-identifying the dataset

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Motivated intruder test

- - - - - - Tainting - - - - - -

the systems or system components with data or capabilities to be embedded are defined;

- - - - - - - - - - - - -

Embed data or capabilities in the following systems or system components to determine if organizational data has been exfiltrated or improperly removed from the organization: .

- - -

Many cyber-attacks target organizational information, or information that the organization holds on behalf of other entities (e.g., personally identifiable information), and exfiltrate that data. In addition, insider attacks and erroneous user procedures can remove information from the system that is in violation of the organizational policies. Tainting approaches can range from passive to active. A passive tainting approach can be as simple as adding false email names and addresses to an internal database. If the organization receives email at one of the false email addresses, it knows that the database has been compromised. Moreover, the organization knows that the email was sent by an unauthorized entity, so any packets it includes potentially contain malicious code, and that the unauthorized entity may have potentially obtained a copy of the database. Another tainting approach can include embedding false data or steganographic data in files to enable the data to be found via open-source analysis. Finally, an active tainting approach can include embedding software in the data that is able to call home, thereby alerting the organization to its capture, and possibly its location, and the path by which it was exfiltrated or removed.

- - - -

data or capabilities are embedded in to determine if organizational data has been exfiltrated or improperly removed from the organization.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

procedures addressing software and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

policy and procedures addressing the systems security engineering technique of deception

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for detecting tainted data

-

organizational personnel with systems security engineering responsibilities

-

organizational personnel with information security and privacy responsibilities

- - - - - - -

Automated mechanisms for post-breach detection

-

decoys, traps, lures, and methods for deceiving adversaries

-

detection and notification mechanisms

- - - - - Information Refresh - - - - - -

the information to be refreshed is defined;

- - - - - - - -

the frequencies at which to refresh information are defined;

- - - - - - - - - - - - -

Refresh at or generate the information on demand and delete the information when no longer needed.

- - -

Retaining information for longer than it is needed makes it an increasingly valuable and enticing target for adversaries. Keeping information available for the minimum period of time needed to support organizational missions or business functions reduces the opportunity for adversaries to compromise, capture, and exfiltrate that information.

- - - -

the is refreshed or is generated on demand and deleted when no longer needed.

- - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

procedures addressing software and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

information refresh procedures

-

list of information to be refreshed

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel responsible for refreshing information

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with systems security engineering responsibilities

-

system developers

- - - - - - -

Mechanisms for information refresh

-

organizational processes for information refresh

- - - - - Information Diversity - - - - - -

alternative information sources for essential functions and services are defined;

- - - - - - - -

essential functions and services that require alternative sources of information are defined;

- - - - - - - -

systems or system components that require an alternative information source for the execution of essential functions or services are defined;

- - - - - - - - - - - - -

Identify the following alternative sources of information for : ; and

- - - -

Use an alternative information source for the execution of essential functions or services on when the primary source of information is corrupted or unavailable.

- - - -

Actions taken by a system service or a function are often driven by the information it receives. Corruption, fabrication, modification, or deletion of that information could impact the ability of the service function to properly carry out its intended actions. By having multiple sources of input, the service or function can continue operation if one source is corrupted or no longer available. It is possible that the alternative sources of information may be less precise or less accurate than the primary source of information. But having such sub-optimal information sources may still provide a sufficient level of quality that the essential service or function can be carried out, even in a degraded or debilitated manner.

- - - - - -

for are identified;

- - - -

an alternative information source is used for the execution of essential functions or services on when the primary source of information is corrupted or unavailable.

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

system design documentation

-

system configuration settings and associated documentation

-

list of information sources

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with information security and privacy responsibilities

-

organizational personnel with systems security engineering responsibilities

-

system developers

- - - - - - -

Automated methods and mechanisms to convert information from an analog to digital medium

- - - - - Information Fragmentation - - - - - -

circumstances that require information fragmentation are defined;

- - - - - - - -

the information to be fragmented is defined;

- - - - - - - -

systems or system components across which the fragmented information is to be distributed are defined;

- - - - - - - - - - -

Based on :

- - -

Fragment the following information: ; and

- - - -

Distribute the fragmented information across the following systems or system components: .

- - - -

One objective of the advanced persistent threat is to exfiltrate valuable information. Once exfiltrated, there is generally no way for the organization to recover the lost information. Therefore, organizations may consider dividing the information into disparate elements and distributing those elements across multiple systems or system components and locations. Such actions will increase the adversary’s work factor to capture and exfiltrate the desired information and, in so doing, increase the probability of detection. The fragmentation of information impacts the organization’s ability to access the information in a timely manner. The extent of the fragmentation is dictated by the impact or classification level (and value) of the information, threat intelligence information received, and whether data tainting is used (i.e., data tainting-derived information about the exfiltration of some information could result in the fragmentation of the remaining information).

- - - - - -

under , is fragmented;

- - - -

under , the fragmented information is distributed across .

- - - - - - -

System and information integrity policy

-

system and information integrity procedures

-

personally identifiable information processing policy

-

procedures addressing software and information integrity

-

system design documentation

-

system configuration settings and associated documentation

-

procedures to identify information for fragmentation and distribution across systems/system components

-

list of distributed and fragmented information

-

list of circumstances requiring information fragmentation

-

enterprise architecture

-

system security architecture

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with information security and privacy responsibilities

-

organizational personnel with systems security engineering responsibilities

-

system developers

-

security architects

- - - - - - -

Organizational processes to identify information for fragmentation and distribution across systems/system components

-

automated mechanisms supporting and/or implementing information fragmentation and distribution across systems/system components

- - - - - - Supply Chain Risk Management - - Policy and Procedures - - - - - - - - - -

personnel or roles to whom supply chain risk management policy is to be disseminated to is/are defined;

- - - - - - -

personnel or roles to whom supply chain risk management procedures are disseminated to is/are defined;

- - - - - - - - - - - - -

an official to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures is defined;

- - - - - - - -

the frequency at which the current supply chain risk management policy is reviewed and updated is defined;

- - - - - - - -

events that require the current supply chain risk management policy to be reviewed and updated are defined;

- - - - - - - -

the frequency at which the current supply chain risk management procedure is reviewed and updated is defined;

- - - - - - - -

events that require the supply chain risk management procedures to be reviewed and updated are defined;

- - - - - - - - - - - - - - - - - - - - - - - -

Develop, document, and disseminate to :

- - -

supply chain risk management policy that:

- - -

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

- - - -

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

- - - - -

Procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls;

- - - - -

Designate an to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures; and

- - - -

Review and update the current supply chain risk management:

- - -

Policy and following ; and

- - - -

Procedures and following .

- - - - -

Supply chain risk management policy and procedures address the controls in the SR family as well as supply chain-related controls in other families that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of supply chain risk management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission or business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to supply chain risk management policy and procedures include assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.

- - - - - - - -

a supply chain risk management policy is developed and documented;

- - - -

the supply chain risk management policy is disseminated to ;

- - - -

supply chain risk management procedures to facilitate the implementation of the supply chain risk management policy and the associated supply chain risk management controls are developed and documented;

- - - -

the supply chain risk management procedures are disseminated to .

- - - - - - - -

the supply chain risk management policy addresses purpose;

- - - -

the supply chain risk management policy addresses scope;

- - - -

supply chain risk management policy addresses roles;

- - - -

the supply chain risk management policy addresses responsibilities;

- - - -

the supply chain risk management policy addresses management commitment;

- - - -

the supply chain risk management policy addresses coordination among organizational entities;

- - - -

the supply chain risk management policy addresses compliance.

- - - - -

the supply chain risk management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;

- - - - - -

the is designated to manage the development, documentation, and dissemination of the supply chain risk management policy and procedures;

- - - - - - - -

the current supply chain risk management policy is reviewed and updated ;

- - - -

the current supply chain risk management policy is reviewed and updated following ;

- - - - - - -

the current supply chain risk management procedures are reviewed and updated ;

- - - -

the current supply chain risk management procedures are reviewed and updated following .

- - - - - - - - -

Supply chain risk management policy

-

supply chain risk management procedures

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with supply chain risk management responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with acquisition responsibilities

-

organizational personnel with enterprise risk management responsibilities

- - - - - Supply Chain Risk Management Plan - - - - - -

systems, system components, or system services for which a supply chain risk management plan is developed are defined;

- - - - - - - -

the frequency at which to review and update the supply chain risk management plan is defined;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Develop a plan for managing supply chain risks associated with the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of the following systems, system components or system services: ;

- - - -

Review and update the supply chain risk management plan or as required, to address threat, organizational or environmental changes; and

- - - -

Protect the supply chain risk management plan from unauthorized disclosure and modification.

- - - -

The dependence on products, systems, and services from external providers, as well as the nature of the relationships with those providers, present an increasing level of risk to an organization. Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain. Supply chain risks can be endemic or systemic within a system element or component, a system, an organization, a sector, or the Nation. Managing supply chain risk is a complex, multifaceted undertaking that requires a coordinated effort across an organization to build trust relationships and communicate with internal and external stakeholders. Supply chain risk management (SCRM) activities include identifying and assessing risks, determining appropriate risk response actions, developing SCRM plans to document response actions, and monitoring performance against plans. The SCRM plan (at the system-level) is implementation specific, providing policy implementation, requirements, constraints and implications. It can either be stand-alone, or incorporated into system security and privacy plans. The SCRM plan addresses managing, implementation, and monitoring of SCRM controls and the development/sustainment of systems across the SDLC to support mission and business functions.

-

Because supply chains can differ significantly across and within organizations, SCRM plans are tailored to the individual program, organizational, and operational contexts. Tailored SCRM plans provide the basis for determining whether a technology, service, system component, or system is fit for purpose, and as such, the controls need to be tailored accordingly. Tailored SCRM plans help organizations focus their resources on the most critical mission and business functions based on mission and business requirements and their risk environment. Supply chain risk management plans include an expression of the supply chain risk tolerance for the organization, acceptable supply chain risk mitigation strategies or controls, a process for consistently evaluating and monitoring supply chain risk, approaches for implementing and communicating the plan, a description of and justification for supply chain risk mitigation measures taken, and associated roles and responsibilities. Finally, supply chain risk management plans address requirements for developing trustworthy, secure, privacy-protective, and resilient system components and systems, including the application of the security design principles implemented as part of life cycle-based systems security engineering processes (see SA-8).

- - - - - - - -

a plan for managing supply chain risks is developed;

- - - -

the supply chain risk management plan addresses risks associated with the research and development of ;

- - - -

the supply chain risk management plan addresses risks associated with the design of ;

- - - -

the supply chain risk management plan addresses risks associated with the manufacturing of ;

- - - -

the supply chain risk management plan addresses risks associated with the acquisition of ;

- - - -

the supply chain risk management plan addresses risks associated with the delivery of ;

- - - -

the supply chain risk management plan addresses risks associated with the integration of ;

- - - -

the supply chain risk management plan addresses risks associated with the operation and maintenance of ;

- - - -

the supply chain risk management plan addresses risks associated with the disposal of ;

- - - - -

the supply chain risk management plan is reviewed and updated or as required to address threat, organizational, or environmental changes;

- - - - - -

the supply chain risk management plan is protected from unauthorized disclosure;

- - - -

the supply chain risk management plan is protected from unauthorized modification.

- - - - - - - -

Supply chain risk management policy

-

supply chain risk management procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

system and services acquisition procedures

-

procedures addressing supply chain protection

-

procedures for protecting the supply chain risk management plan from unauthorized disclosure and modification

-

system development life cycle procedures

-

procedures addressing the integration of information security and privacy requirements into the acquisition process

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

list of supply chain threats

-

list of safeguards to be taken against supply chain threats

-

system life cycle documentation

-

inter-organizational agreements and procedures

-

system security plan

-

privacy plan

-

privacy program plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with acquisition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for defining and documenting the system development life cycle (SDLC)

-

organizational processes for identifying SDLC roles and responsibilities

-

organizational processes for integrating supply chain risk management into the SDLC

-

mechanisms supporting and/or implementing the SDLC

- - - - Establish SCRM Team - - - - - - -

the personnel, roles, and responsibilities of the supply chain risk management team are defined;

- - - - - - - -

supply chain risk management activities are defined;

- - - - - - - - - -

Establish a supply chain risk management team consisting of to lead and support the following SCRM activities: .

- - -

To implement supply chain risk management plans, organizations establish a coordinated, team-based approach to identify and assess supply chain risks and manage these risks by using programmatic and technical mitigation techniques. The team approach enables organizations to conduct an analysis of their supply chain, communicate with internal and external partners or stakeholders, and gain broad consensus regarding the appropriate resources for SCRM. The SCRM team consists of organizational personnel with diverse roles and responsibilities for leading and supporting SCRM activities, including risk executive, information technology, contracting, information security, privacy, mission or business, legal, supply chain and logistics, acquisition, business continuity, and other relevant functions. Members of the SCRM team are involved in various aspects of the SDLC and, collectively, have an awareness of and provide expertise in acquisition processes, legal practices, vulnerabilities, threats, and attack vectors, as well as an understanding of the technical aspects and dependencies of systems. The SCRM team can be an extension of the security and privacy risk management processes or be included as part of an organizational risk management team.

- - - -

a supply chain risk management team consisting of is established to lead and support .

- - - - - -

Supply chain risk management policy

-

supply chain risk management procedures

-

supply chain risk management team charter documentation

-

supply chain risk management strategy

-

supply chain risk management implementation plan

-

procedures addressing supply chain protection

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with acquisition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with supply chain risk management responsibilities

-

organizational personnel with enterprise risk management responsibilities

-

legal counsel

-

organizational personnel with business continuity responsibilities

- - - - - - Supply Chain Controls and Processes - - - - - -

the system or system component requiring a process or processes to identify and address weaknesses or deficiencies is defined;

- - - - - - - -

supply chain personnel with whom to coordinate the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes is/are defined;

- - - - - - - -

supply chain controls employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events are defined;

- - - - - - - - - - - - -

the document identifying the selected and implemented supply chain processes and controls is defined (if selected);

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of in coordination with ;

- - - -

Employ the following controls to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events: ; and

- - - -

Document the selected and implemented supply chain processes and controls in .

- - - -

Supply chain elements include organizations, entities, or tools employed for the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of systems and system components. Supply chain processes include hardware, software, and firmware development processes; shipping and handling procedures; personnel security and physical security programs; configuration management tools, techniques, and measures to maintain provenance; or other programs, processes, or procedures associated with the development, acquisition, maintenance and disposal of systems and system components. Supply chain elements and processes may be provided by organizations, system integrators, or external providers. Weaknesses or deficiencies in supply chain elements or processes represent potential vulnerabilities that can be exploited by adversaries to cause harm to the organization and affect its ability to carry out its core missions or business functions. Supply chain personnel are individuals with roles and responsibilities in the supply chain.

- - - - - - - -

a process or processes is/are established to identify and address weaknesses or deficiencies in the supply chain elements and processes of ;

- - - -

the process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of is/are coordinated with ;

- - - - -

are employed to protect against supply chain risks to the system, system component, or system service and to limit the harm or consequences from supply chain-related events;

- - - -

the selected and implemented supply chain processes and controls are documented in .

- - - - - - -

Supply chain risk management policy

-

supply chain risk management procedures

-

supply chain risk management strategy

-

supply chain risk management plan

-

systems and critical system components inventory documentation

-

system and services acquisition policy

-

system and services acquisition procedures

-

procedures addressing the integration of information security and privacy requirements into the acquisition process

-

solicitation documentation

-

acquisition documentation (including purchase orders)

-

service level agreements

-

acquisition contracts for systems or services

-

risk register documentation

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with acquisition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for identifying and addressing supply chain element and process deficiencies

- - - - Diverse Supply Base - - - - - - - - - -

system components with a diverse set of sources are defined;

- - - - - - -

services with a diverse set of sources are defined;

- - - - - - - - - -

Employ a diverse set of sources for the following system components and services: .

- - -

Diversifying the supply of systems, system components, and services can reduce the probability that adversaries will successfully identify and target the supply chain and can reduce the impact of a supply chain event or compromise. Identifying multiple suppliers for replacement components can reduce the probability that the replacement component will become unavailable. Employing a diverse set of developers or logistics service providers can reduce the impact of a natural disaster or other supply chain event. Organizations consider designing the system to include diverse materials and components.

- - - - - -

a diverse set of sources is employed for ;

- - - -

a diverse set of sources is employed for .

- - - - - - -

Supply chain risk management policy and procedures

-

system and services acquisition policy

-

planning policy

-

procedures addressing supply chain protection

-

physical inventory of critical systems and system components

-

inventory of critical suppliers, service providers, developers, and contracts

-

inventory records of critical system components

-

list of security safeguards ensuring an adequate supply of critical system components

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain protection responsibilities

- - - - - - -

Organizational processes for defining and employing security safeguards to ensure an adequate supply of critical system components

-

processes to identify critical suppliers

-

mechanisms supporting and/or implementing the security safeguards that ensure an adequate supply of critical system components

- - - - - Limitation of Harm - - - - - -

controls to limit harm from potential supply chain adversaries are defined;

- - - - - - - - - -

Employ the following controls to limit harm from potential adversaries identifying and targeting the organizational supply chain: .

- - -

Controls that can be implemented to reduce the probability of adversaries successfully identifying and targeting the supply chain include avoiding the purchase of custom or non-standardized configurations, employing approved vendor lists with standing reputations in industry, following pre-agreed maintenance schedules and update and patch delivery mechanisms, maintaining a contingency plan in case of a supply chain event, using procurement carve-outs that provide exclusions to commitments or obligations, using diverse delivery routes, and minimizing the time between purchase decisions and delivery.

- - - -

are employed to limit harm from potential adversaries identifying and targeting the organizational supply chain.

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

configuration management policy

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security requirements into the acquisition process

-

procedures addressing the baseline configuration of the system

-

configuration management plan

-

system design documentation

-

system architecture and associated configuration documentation

-

solicitation documentation

-

acquisition documentation

-

acquisition contracts for the system, system component, or system service

-

threat assessments

-

vulnerability assessments

-

list of security safeguards to be taken to protect the organizational supply chain against potential supply chain threats

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for defining and employing safeguards to limit harm from adversaries of the organizational supply chain

-

mechanisms supporting and/or implementing the definition and employment of safeguards to protect the organizational supply chain

- - - - - Sub-tier Flow Down - - - - - - - - - -

Ensure that the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

- - -

To manage supply chain risk effectively and holistically, it is important that organizations ensure that supply chain risk management controls are included at all tiers in the supply chain. This includes ensuring that Tier 1 (prime) contractors have implemented processes to facilitate the flow down of supply chain risk management controls to sub-tier contractors. The controls subject to flow down are identified in SR-3b.

- - - -

the controls included in the contracts of prime contractors are also included in the contracts of subcontractors.

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

inter-organizational agreements and procedures

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

- - - - - - Provenance - - - - - -

systems, system components, and associated data that require valid provenance are defined;

- - - - - - - - - - - - - - - - - - - - - - - - - -

Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: .

- - -

Every system and system component has a point of origin and may be changed throughout its existence. Provenance is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Organizations consider developing procedures (see SR-1 ) for allocating responsibilities for the creation, maintenance, and monitoring of provenance for systems and system components; transferring provenance documentation and responsibility between organizations; and preventing and monitoring for unauthorized changes to the provenance records. Organizations have methods to document, monitor, and maintain valid provenance baselines for systems, system components, and related data. These actions help track, assess, and document any changes to the provenance, including changes in supply chain elements or configuration, and help ensure non-repudiation of provenance information and the provenance change records. Provenance considerations are addressed throughout the system development life cycle and incorporated into contracts and other arrangements, as appropriate.

- - - - - -

valid provenance is documented for ;

- - - -

valid provenance is monitored for ;

- - - -

valid provenance is maintained for .

- - - - - - -

Supply chain risk management policy

-

supply chain risk management procedures

-

supply chain risk management plan

-

documentation of critical systems, critical system components, and associated data

-

documentation showing the history of ownership, custody, and location of and changes to critical systems or critical system components

-

system architecture

-

inter-organizational agreements and procedures

-

contracts

-

system security plan

-

privacy plan

-

personally identifiable information processing policy

-

other relevant documents or records

- - - - - - -

Organizational personnel with acquisition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for identifying the provenance of critical systems and critical system components

-

mechanisms used to document, monitor, or maintain provenance

- - - - Identity - - - - - - -

supply chain elements, processes, and personnel associated with systems and critical system components that require unique identification are defined;

- - - - - - - - - - - - -

Establish and maintain unique identification of the following supply chain elements, processes, and personnel associated with the identified system and critical system components: .

- - -

Knowing who and what is in the supply chains of organizations is critical to gaining visibility into supply chain activities. Visibility into supply chain activities is also important for monitoring and identifying high-risk events and activities. Without reasonable visibility into supply chains elements, processes, and personnel, it is very difficult for organizations to understand and manage risk and reduce their susceptibility to adverse events. Supply chain elements include organizations, entities, or tools used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems and system components. Supply chain processes include development processes for hardware, software, and firmware; shipping and handling procedures; configuration management tools, techniques, and measures to maintain provenance; personnel and physical security programs; or other programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain personnel are individuals with specific roles and responsibilities related to the secure the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of a system or system component. Identification methods are sufficient to support an investigation in case of a supply chain change (e.g. if a supply company is purchased), compromise, or event.

- - - - - -

unique identification of is established;

- - - -

unique identification of is maintained.

- - - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security requirements into the acquisition process

-

list of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and/or configurations

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain protection responsibilities

-

organizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors

- - - - - - -

Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors

-

mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors

- - - - - Track and Trace - - - - - -

systems and critical system components that require unique identification for tracking through the supply chain are defined;

- - - - - - - - - - - - - -

Establish and maintain unique identification of the following systems and critical system components for tracking through the supply chain: .

- - -

Tracking the unique identification of systems and system components during development and transport activities provides a foundational identity structure for the establishment and maintenance of provenance. For example, system components may be labeled using serial numbers or tagged using radio-frequency identification tags. Labels and tags can help provide better visibility into the provenance of a system or system component. A system or system component may have more than one unique identifier. Identification methods are sufficient to support a forensic investigation after a supply chain compromise or event.

- - - - - -

the unique identification of is established for tracking through the supply chain;

- - - -

the unique identification of is maintained for tracking through the supply chain.

- - - - - - -

Supply chain risk management policy and procedures

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security requirements into the acquisition process

-

supply chain risk management plan

-

list of supply chain elements, processes, and actors (associated with the system, system component, or system service) requiring implementation of unique identification processes, procedures, tools, mechanisms, equipment, techniques, and/or configurations

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain protection responsibilities

-

organizational personnel with responsibilities for establishing and retaining the unique identification of supply chain elements, processes, and actors

- - - - - - -

Organizational processes for defining, establishing, and retaining unique identification for supply chain elements, processes, and actors

-

mechanisms supporting and/or implementing the definition, establishment, and retention of unique identification for supply chain elements, processes, and actors

- - - - - Validate as Genuine and Not Altered - - - - - - - - - -

controls to validate that the system or system component received is genuine are defined;

- - - - - - -

controls to validate that the system or system component received has not been altered are defined;

- - - - - - - - - - - - - -

Employ the following controls to validate that the system or system component received is genuine and has not been altered: .

- - -

For many systems and system components, especially hardware, there are technical means to determine if the items are genuine or have been altered, including optical and nanotechnology tagging, physically unclonable functions, side-channel analysis, cryptographic hash verifications or digital signatures, and visible anti-tamper labels or stickers. Controls can also include monitoring for out of specification performance, which can be an indicator of tampering or counterfeits. Organizations may leverage supplier and contractor processes for validating that a system or component is genuine and has not been altered and for replacing a suspect system or component. Some indications of tampering may be visible and addressable before accepting delivery, such as inconsistent packaging, broken seals, and incorrect labels. When a system or system component is suspected of being altered or counterfeit, the supplier, contractor, or original equipment manufacturer may be able to replace the item or provide a forensic capability to determine the origin of the counterfeit or altered item. Organizations can provide training to personnel on how to identify suspicious system or component deliveries.

- - - - - -

are employed to validate that the system or system component received is genuine;

- - - -

are employed to validate that the system or system component received has not been altered.

- - - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing the security design principle of trusted components used in the specification, design, development, implementation, and modification of the system

-

system design documentation

-

procedures addressing the integration of information security requirements into the acquisition process

-

solicitation documentation

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

evidentiary documentation (including applicable configurations) indicating that the system or system component is genuine and has not been altered

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for defining and employing validation safeguards

-

mechanisms supporting and/or implementing the definition and employment of validation safeguards

-

mechanisms supporting the application of the security design principle of trusted components in system specification, design, development, implementation, and modification

- - - - - Supply Chain Integrity — Pedigree - - - - - -

controls employed to ensure that the integrity of the system and system component are defined;

- - - - - - - - -

an analysis method to be conducted to validate the internal composition and provenance of critical or mission-essential technologies, products, and services to ensure the integrity of the system and system component is defined;

- - - - - - - - - - -

Employ and conduct to ensure the integrity of the system and system components by validating the internal composition and provenance of critical or mission-essential technologies, products, and services.

- - -

Authoritative information regarding the internal composition of system components and the provenance of technology, products, and services provides a strong basis for trust. The validation of the internal composition and provenance of technologies, products, and services is referred to as the pedigree. For microelectronics, this includes material composition of components. For software this includes the composition of open-source and proprietary code, including the version of the component at a given point in time. Pedigrees increase the assurance that the claims suppliers assert about the internal composition and provenance of the products, services, and technologies they provide are valid. The validation of the internal composition and provenance can be achieved by various evidentiary artifacts or records that manufacturers and suppliers produce during the research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal of technology, products, and services. Evidentiary artifacts include, but are not limited to, software identification (SWID) tags, software component inventory, the manufacturers’ declarations of platform attributes (e.g., serial numbers, hardware component inventory), and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself.

- - - - - -

are employed to ensure the integrity of the system and system components;

- - - -

is conducted to ensure the integrity of the system and system components.

- - - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

bill of materials for critical systems or system components

-

acquisition documentation

-

software identification tags

-

manufacturer declarations of platform attributes (e.g., serial numbers, hardware component inventory) and measurements (e.g., firmware hashes) that are tightly bound to the hardware itself

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for identifying pedigree information

-

organizational processes to determine and validate the integrity of the internal composition of critical systems and critical system components

-

mechanisms to determine and validate the integrity of the internal composition of critical systems and critical system components

- - - - - - Acquisition Strategies, Tools, and Methods - - - - - - -

acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks are defined;

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Employ the following acquisition strategies, contract tools, and procurement methods to protect against, identify, and mitigate supply chain risks: .

- - -

The use of the acquisition process provides an important vehicle to protect the supply chain. There are many useful tools and techniques available, including obscuring the end use of a system or system component, using blind or filtered buys, requiring tamper-evident packaging, or using trusted or controlled distribution. The results from a supply chain risk assessment can guide and inform the strategies, tools, and methods that are most applicable to the situation. Tools and techniques may provide protections against unauthorized production, theft, tampering, insertion of counterfeits, insertion of malicious software or backdoors, and poor development practices throughout the system development life cycle. Organizations also consider providing incentives for suppliers who implement controls, promote transparency into their processes and security and privacy practices, provide contract language that addresses the prohibition of tainted or counterfeit components, and restrict purchases from untrustworthy suppliers. Organizations consider providing training, education, and awareness programs for personnel regarding supply chain risk, available mitigation strategies, and when the programs should be employed. Methods for reviewing and protecting development plans, documentation, and evidence are commensurate with the security and privacy requirements of the organization. Contracts may specify documentation protection requirements.

- - - - - -

are employed to protect against supply chain risks;

- - - -

are employed to identify supply chain risks;

- - - -

are employed to mitigate supply chain risks.

- - - - - - -

Supply chain risk management policy

-

supply chain risk management procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

system and services acquisition procedures

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security and privacy requirements into the acquisition process

-

solicitation documentation

-

acquisition documentation (including purchase orders)

-

service level agreements

-

acquisition contracts for systems, system components, or services

-

documentation of training, education, and awareness programs for personnel regarding supply chain risk

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with acquisition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods

-

mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods

- - - - Adequate Supply - - - - - -

controls to ensure an adequate supply of critical system components are defined;

- - - - - - - -

critical system components of which an adequate supply is required are defined;

- - - - - - - - - - -

Employ the following controls to ensure an adequate supply of : .

- - -

Adversaries can attempt to impede organizational operations by disrupting the supply of critical system components or corrupting supplier operations. Organizations may track systems and component mean time to failure to mitigate the loss of temporary or permanent system function. Controls to ensure that adequate supplies of critical system components include the use of multiple suppliers throughout the supply chain for the identified critical components, stockpiling spare components to ensure operation during mission-critical times, and the identification of functionally identical or similar components that may be used, if necessary.

- - - -

are employed to ensure an adequate supply of .

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management strategy

-

supply chain risk management plan

-

contingency planning documents

-

inventory of critical systems and system components

-

determination of adequate supply

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security requirements into the acquisition process

-

procedures addressing the integration of acquisition strategies, contract tools, and procurement methods into the acquisition process

-

solicitation documentation

-

acquisition documentation

-

service level agreements

-

acquisition contracts for systems or services

-

purchase orders/requisitions for the system, system component, or system service from suppliers

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for defining and employing tailored acquisition strategies, contract tools, and procurement methods

-

mechanisms supporting and/or implementing the definition and employment of tailored acquisition strategies, contract tools, and procurement methods

- - - - - Assessments Prior to Selection, Acceptance, Modification, or Update - - - - - - - - - - - -

Assess the system, system component, or system service prior to selection, acceptance, modification, or update.

- - -

Organizational personnel or independent, external entities conduct assessments of systems, components, products, tools, and services to uncover evidence of tampering, unintentional and intentional vulnerabilities, or evidence of non-compliance with supply chain controls. These include malicious code, malicious processes, defective software, backdoors, and counterfeits. Assessments can include evaluations; design proposal reviews; visual or physical inspection; static and dynamic analyses; visual, x-ray, or magnetic particle inspections; simulations; white, gray, or black box testing; fuzz testing; stress testing; and penetration testing (see SR-6(1) ). Evidence generated during assessments is documented for follow-on actions by organizations. The evidence generated during the organizational or independent assessments of supply chain elements may be used to improve supply chain processes and inform the supply chain risk management process. The evidence can be leveraged in follow-on assessments. Evidence and other documentation may be shared in accordance with organizational agreements.

- - - - - -

the system, system component, or system service is assessed prior to selection;

- - - -

the system, system component, or system service is assessed prior to acceptance;

- - - -

the system, system component, or system service is assessed prior to modification;

- - - -

the system, system component, or system service is assessed prior to update.

- - - - - - -

System security plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security requirements into the acquisition process

-

security test and evaluation results

-

vulnerability assessment results

-

penetration testing results

-

organizational risk assessment results

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain protection responsibilities

- - - - - - -

Organizational processes for conducting assessments prior to selection, acceptance, or update

-

mechanisms supporting and/or implementing the conducting of assessments prior to selection, acceptance, or update

- - - - - - Supplier Assessments and Reviews - - - - - -

the frequency at which to assess and review the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide is defined;

- - - - - - - - - - - - - - - - - - - - - - - -

Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide .

- - -

An assessment and review of supplier risk includes security and supply chain risk management processes, foreign ownership, control or influence (FOCI), and the ability of the supplier to effectively assess subordinate second-tier and third-tier suppliers and contractors. The reviews may be conducted by the organization or by an independent third party. The reviews consider documented processes, documented controls, all-source intelligence, and publicly available information related to the supplier or contractor. Organizations can use open-source information to monitor for indications of stolen information, poor development and quality control practices, information spillage, or counterfeits. In some cases, it may be appropriate or required to share assessment and review results with other organizations in accordance with any applicable rules, policies, or inter-organizational agreements or contracts.

- - - -

the supply chain-related risks associated with suppliers or contractors and the systems, system components, or system services they provide are assessed and reviewed .

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management strategy

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing the integration of information security requirements into the acquisition process

-

records of supplier due diligence reviews

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain protection responsibilities

- - - - - - -

Organizational processes for conducting supplier reviews

-

mechanisms supporting and/or implementing supplier reviews

- - - - Testing and Analysis - - - - - - - - - - -

supply chain elements, processes, and actors to be analyzed and tested are defined;

- - - - - - - - - - - -

Employ of the following supply chain elements, processes, and actors associated with the system, system component, or system service: .

- - -

Relationships between entities and procedures within the supply chain, including development and delivery, are considered. Supply chain elements include organizations, entities, or tools that are used for the research and development, design, manufacturing, acquisition, delivery, integration, operations, maintenance, and disposal of systems, system components, or system services. Supply chain processes include supply chain risk management programs; SCRM strategies and implementation plans; personnel and physical security programs; hardware, software, and firmware development processes; configuration management tools, techniques, and measures to maintain provenance; shipping and handling procedures; and programs, processes, or procedures associated with the production and distribution of supply chain elements. Supply chain actors are individuals with specific roles and responsibilities in the supply chain. The evidence generated and collected during analyses and testing of supply chain elements, processes, and actors is documented and used to inform organizational risk management activities and decisions.

- - - -

is/are employed on associated with the system, system component, or system service.

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

evidence of organizational analysis, independent third-party analysis, organizational penetration testing, and/or independent third-party penetration testing

-

list of supply chain elements, processes, and actors (associated with the system, system component, or system service) subject to analysis and/or testing

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

-

organizational personnel with responsibilities for analyzing and/or testing supply chain elements, processes, and actors

- - - - - - -

Organizational processes for defining and employing methods of analysis/testing of supply chain elements, processes, and actors

-

mechanisms supporting and/or implementing the analysis/testing of supply chain elements, processes, and actors

- - - - - - Supply Chain Operations Security - - - - - - -

Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service are defined;

- - - - - - - - - - - - - - -

Employ the following Operations Security (OPSEC) controls to protect supply chain-related information for the system, system component, or system service: .

- - -

Supply chain OPSEC expands the scope of OPSEC to include suppliers and potential suppliers. OPSEC is a process that includes identifying critical information, analyzing friendly actions related to operations and other activities to identify actions that can be observed by potential adversaries, determining indicators that potential adversaries might obtain that could be interpreted or pieced together to derive information in sufficient time to cause harm to organizations, implementing safeguards or countermeasures to eliminate or reduce exploitable vulnerabilities and risk to an acceptable level, and considering how aggregated information may expose users or specific uses of the supply chain. Supply chain information includes user identities; uses for systems, system components, and system services; supplier identities; security and privacy requirements; system and component configurations; supplier processes; design specifications; and testing and evaluation results. Supply chain OPSEC may require organizations to withhold mission or business information from suppliers and may include the use of intermediaries to hide the end use or users of systems, system components, or system services.

- - - -

are employed to protect supply chain-related information for the system, system component, or system service.

- - - - - -

Supply chain risk management plan

-

supply chain risk management procedures

-

system and services acquisition policy

-

system and services acquisition procedures

-

procedures addressing supply chain protection

-

list of OPSEC controls to be employed

-

solicitation documentation

-

acquisition documentation

-

acquisition contracts for the system, system component, or system service

-

records of all-source intelligence analyses

-

system security plan

-

privacy plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with acquisition responsibilities

-

organizational personnel with information security and privacy responsibilities

-

organizational personnel with OPSEC responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for defining and employing OPSEC safeguards

-

mechanisms supporting and/or implementing the definition and employment of OPSEC safeguards

- - - - - Notification Agreements - - - - - - - - - - - -

information for which agreements and procedures are to be established are defined (if selected);

- - - - - - - - - - - - - - - - - - -

Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the .

- - -

The establishment of agreements and procedures facilitates communications among supply chain entities. Early notification of compromises and potential compromises in the supply chain that can potentially adversely affect or have adversely affected organizational systems or system components is essential for organizations to effectively respond to such incidents. The results of assessments or audits may include open-source information that contributed to a decision or result and could be used to help the supply chain entity resolve a concern or improve its processes.

- - - -

agreements and procedures are established with entities involved in the supply chain for the system, system components, or system service for .

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

inter-organizational agreements and procedures

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and service acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

- - - - - Tamper Resistance and Detection - - - - - - - - - - - - - - - - - -

Implement a tamper protection program for the system, system component, or system service.

- - -

Anti-tamper technologies, tools, and techniques provide a level of protection for systems, system components, and services against many threats, including reverse engineering, modification, and substitution. Strong identification combined with tamper resistance and/or tamper detection is essential to protecting systems and components during distribution and when in use.

- - - -

a tamper protection program is implemented for the system, system component, or system service.

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing supply chain protection

-

procedures addressing tamper resistance and detection

-

tamper protection program documentation

-

tamper protection tools and techniques documentation

-

tamper resistance and detection tools and techniques documentation

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with tamper protection program responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for the implementation of the tamper protection program

-

mechanisms supporting and/or implementing the tamper protection program

- - - - Multiple Stages of System Development Life Cycle - - - - - - - - -

Employ anti-tamper technologies, tools, and techniques throughout the system development life cycle.

- - -

The system development life cycle includes research and development, design, manufacturing, acquisition, delivery, integration, operations and maintenance, and disposal. Organizations use a combination of hardware and software techniques for tamper resistance and detection. Organizations use obfuscation and self-checking to make reverse engineering and modifications more difficult, time-consuming, and expensive for adversaries. The customization of systems and system components can make substitutions easier to detect and therefore limit damage.

- - - -

anti-tamper technologies, tools, and techniques are employed throughout the system development life cycle.

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

procedures addressing tamper resistance and detection

-

tamper protection program documentation

-

tamper protection tools and techniques documentation

-

tamper resistance and detection tools (technologies) and techniques documentation

-

system development life cycle documentation

-

procedures addressing supply chain protection

-

system development life cycle procedures

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

inter-organizational agreements and procedures

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

-

organizational personnel with SDLC responsibilities

- - - - - - -

Organizational processes for employing anti-tamper technologies

-

mechanisms supporting and/or implementing anti-tamper technologies

- - - - - - Inspection of Systems or Components - - - - - -

systems or system components that require inspection are defined;

- - - - - - - - - - - - -

frequency at which to inspect systems or system components is defined (if selected);

- - - - - - - -

indications of the need for an inspection of systems or system components are defined (if selected);

- - - - - - - - - - - - - - - - - - -

Inspect the following systems or system components to detect tampering: .

- - -

The inspection of systems or systems components for tamper resistance and detection addresses physical and logical tampering and is applied to systems and system components removed from organization-controlled areas. Indications of a need for inspection include changes in packaging, specifications, factory location, or entity in which the part is purchased, and when individuals return from travel to high-risk locations.

- - - -

are inspected to detect tampering.

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

records of random inspections

-

inspection reports/results

-

assessment reports/results

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

inter-organizational agreements and procedures

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

-

organizational processes to inspect for tampering

- - - - - Component Authenticity - - - - - - - - - - -

external reporting organizations to whom counterfeit system components are to be reported is/are defined (if selected);

- - - - - - - -

personnel or roles to whom counterfeit system components are to be reported is/are defined (if selected);

- - - - - - - - - - - - - - - - -

Develop and implement anti-counterfeit policy and procedures that include the means to detect and prevent counterfeit components from entering the system; and

- - - -

Report counterfeit system components to .

- - - -

Sources of counterfeit components include manufacturers, developers, vendors, and contractors. Anti-counterfeiting policies and procedures support tamper resistance and provide a level of protection against the introduction of malicious code. External reporting organizations include CISA.

- - - - - - - -

an anti-counterfeit policy is developed and implemented;

- - - -

anti-counterfeit procedures are developed and implemented;

- - - -

the anti-counterfeit procedures include the means to detect counterfeit components entering the system;

- - - -

the anti-counterfeit procedures include the means to prevent counterfeit components from entering the system;

- - - - -

counterfeit system components are reported to .

- - - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

anti-counterfeit plan

-

anti-counterfeit policy and procedures

-

media disposal policy

-

media protection policy

-

incident response policy

-

reports notifying developers, manufacturers, vendors, contractors, and/or external reporting organizations of counterfeit system components

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system, system component, or system service

-

inter-organizational agreements and procedures

-

records of reported counterfeit system components

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and service acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

-

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and reporting

- - - - - - -

Organizational processes for counterfeit prevention, detection, and reporting

-

mechanisms supporting and/or implementing anti-counterfeit detection, prevention, and reporting

- - - - Anti-counterfeit Training - - - - - -

personnel or roles requiring training to detect counterfeit system components (including hardware, software, and firmware) is/are defined;

- - - - - - - - - - -

Train to detect counterfeit system components (including hardware, software, and firmware).

- - -

None.

- - - -

are trained to detect counterfeit system components (including hardware, software, and firmware).

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

system and services acquisition policy

-

anti-counterfeit plan

-

anti-counterfeit policy and procedures

-

media disposal policy

-

media protection policy

-

incident response policy

-

training materials addressing counterfeit system components

-

training records on the detection and prevention of counterfeit components entering the system

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

-

organizational personnel with responsibilities for anti-counterfeit policies, procedures, and training

- - - - - - -

Organizational processes for anti-counterfeit training

- - - - - Configuration Control for Component Service and Repair - - - - - -

system components requiring configuration control are defined;

- - - - - - - - - - - - - -

Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: .

- - -

None.

- - - - - -

configuration control over awaiting service or repair is maintained;

- - - -

configuration control over serviced or repaired awaiting return to service is maintained.

- - - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

configuration control procedures

-

acquisition documentation

-

service level agreements

-

acquisition contracts for the system component

-

inter-organizational agreements and procedures

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

- - - - - - -

Organizational processes for establishing inter-organizational agreements and procedures with supply chain entities

-

organizational configuration control processes

- - - - - Anti-counterfeit Scanning - - - - - -

the frequency at which to scan for counterfeit system components is defined;

- - - - - - - - - - -

Scan for counterfeit system components .

- - -

The type of component determines the type of scanning to be conducted (e.g., web application scanning if the component is a web application).

- - - -

scanning for counterfeit system components is conducted .

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

anti-counterfeit policy and procedures

-

system design documentation

-

system configuration settings and associated documentation

-

scanning tools and associated documentation

-

scanning results

-

procedures addressing supply chain protection

-

acquisition documentation

-

inter-organizational agreements and procedures

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system and services acquisition responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain risk management responsibilities

-

organizational personnel with responsibilities for anti-counterfeit policies and procedures

-

organizational personnel with responsibility for anti-counterfeit scanning

- - - - - - -

Organizational processes for scanning for counterfeit system components

-

mechanisms supporting and/or implementing anti-counterfeit scanning

- - - - - - Component Disposal - - - - - -

data, documentation, tools, or system components to be disposed of are defined;

- - - - - - - -

techniques and methods for disposing of data, documentation, tools, or system components are defined;

- - - - - - - - - -

Dispose of using the following techniques and methods: .

- - -

Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.

- - - -

are disposed of using .

- - - - - -

Supply chain risk management policy and procedures

-

supply chain risk management plan

-

disposal procedures addressing supply chain protection

-

media disposal policy

-

media protection policy

-

disposal records for system components

-

documentation of the system components identified for disposal

-

documentation of the disposal techniques and methods employed for system components

-

system security plan

-

other relevant documents or records

- - - - - - -

Organizational personnel with system component disposal responsibilities

-

organizational personnel with information security responsibilities

-

organizational personnel with supply chain protection responsibilities

- - - - - - -

Organizational techniques and methods for system component disposal

-

mechanisms supporting and/or implementing system component disposal

- - - - - - - 32 CFR 2002 - - Code of Federal Regulations, Title 32, Controlled Unclassified Information (32 C.F.R. 2002). - - - - - 41 CFR 201 - - Federal Acquisition Supply Chain Security Act; Rule, 85 Federal Register 54263 (September 1, 2020), pp 54263-54271. - - - - - 5 CFR 731 - - Code of Federal Regulations, Title 5, Administrative Personnel , Section 731.106, Designation of Public Trust Positions and Investigative Requirements (5 C.F.R. 731.106). - - - - - ATOM54 - - Atomic Energy Act (P.L. 83-703), August 1954. - - - - - CMPPA - - Computer Matching and Privacy Protection Act of 1988 (P.L. 100-503), October 1988. - - - - - CNSSD 505 - - Committee on National Security Systems Directive No. 505, Supply Chain Risk Management (SCRM) , August 2017. - - - - - CNSSI 1253 - - Committee on National Security Systems Instruction No. 1253, Security Categorization and Control Selection for National Security Systems , March 2014. - - - - - CNSSI 4009 - - Committee on National Security Systems Instruction No. 4009, Committee on National Security Systems (CNSS) Glossary , April 2015. - - - - - CNSSP 22 - - Committee on National Security Systems Policy No. 22, Cybersecurity Risk Management Policy , August 2016. - - - - - DHS NIPP - - Department of Homeland Security, National Infrastructure Protection Plan (NIPP) , 2009. - - - - - DHS TIC - - Department of Homeland Security, Trusted Internet Connections (TIC). - - - - - DOD STIG - - Defense Information Systems Agency, Security Technical Implementation Guides (STIG). - - - - - DODI 8510.01 - - Department of Defense Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) , March 2014. - - - - - DODTERMS - - Department of Defense, Dictionary of Military and Associated Terms. - - - - - DSB 2017 - - Department of Defense, Defense Science Board, Task Force on Cyber Deterrence , February 2017. - - - - - EGOV - - E-Government Act [includes FISMA] (P.L. 107-347), December 2002. - - - - - EO 13526 - - Executive Order 13526, Classified National Security Information , December 2009. - - - - - EO 13556 - - Executive Order 13556, Controlled Unclassified Information , November 2010. - - - - - EO 13587 - - Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information , October 2011. - - - - - EO 13636 - - Executive Order 13636, Improving Critical Infrastructure Cybersecurity , February 2013. - - - - - EO 13800 - - Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017. - - - - - EO 13873 - - Executive Order 13873, Executive Order on Securing the Information and Communications Technology and Services Supply Chain , May 2019. - - - - - EVIDACT - - Foundations for Evidence-Based Policymaking Act of 2018 (P.L. 115-435), January 2019. - - - - - FASC18 - - Secure Technology Act [includes Federal Acquisition Supply Chain Security Act] (P.L. 115-390), December 2018. - - - - - FED PKI - - General Services Administration, Federal Public Key Infrastructure. - - - - - FIPS 140-3 - - National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3. - - - - - FIPS 180-4 - - National Institute of Standards and Technology (2015) Secure Hash Standard (SHS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 180-4. - - - - - FIPS 186-4 - - National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4. - - - - - FIPS 196 - - National Institute of Standards and Technology (1997) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 196. - - - - - FIPS 197 - - National Institute of Standards and Technology (2001) Advanced Encryption Standard (AES). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 197. - - - - - FIPS 198-1 - - National Institute of Standards and Technology (2008) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 198-1. - - - - - FIPS 199 - - National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199. - - - - - FIPS 200 - - National Institute of Standards and Technology (2006) Minimum Security Requirements for Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 200. - - - - - FIPS 201-2 - - National Institute of Standards and Technology (2013) Personal Identity Verification (PIV) of Federal Employees and Contractors. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 201-2. - - - - - FIPS 202 - - National Institute of Standards and Technology (2015) SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 202. - - - - - FISMA IMP - - Federal Information Security Modernization Act (FISMA) Implementation Project. - - - - - FISMA - - Federal Information Security Modernization Act (P.L. 113-283), December 2014. - - - - - FOIA96 - - Freedom of Information Act (FOIA), 5 U.S.C. § 552, As Amended By Public Law No. 104-231, 110 Stat. 3048, Electronic Freedom of Information Act Amendments of 1996. - - - - - HSPD 12 - - Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 2004. - - - - - HSPD 7 - - Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and Protection , December 2003. - - - - - IETF 4949 - - Internet Engineering Task Force (IETF), Request for Comments: 4949, Internet Security Glossary, Version 2 , August 2007. - - - - - IETF 5905 - - Internet Engineering Task Force (IETF), Request for Comments: 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification , June 2010. - - - - - IR 7539 - - Cooper DA, MacGregor WI (2008) Symmetric Key Injection onto Smart Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7539. - - - - - IR 7559 - - Singhal A, Gunestas M, Wijesekera D (2010) Forensics Web Services (FWS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7559. - - - - - IR 7622 - - Boyens JM, Paulsen C, Bartol N, Shankles S, Moorthy R (2012) Notional Supply Chain Risk Management Practices for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7622. - - - - - IR 7676 - - Cooper DA (2010) Maintaining and Using Key History on Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7676. - - - - - IR 7788 - - Singhal A, Ou X (2011) Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7788. - - - - - IR 7817 - - Ferraiolo H (2012) A Credential Reliability and Revocation Model for Federated Identities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7817. - - - - - IR 7849 - - Chandramouli R (2014) A Methodology for Developing Authentication Assurance Level Taxonomy for Smart Card-based Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7849. - - - - - IR 7870 - - Cooper DA (2012) NIST Test Personal Identity Verification (PIV) Cards. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7870. - - - - - IR 7874 - - Hu VC, Scarfone KA (2012) Guidelines for Access Control System Evaluation Metrics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7874. - - - - - IR 7956 - - Chandramouli R, Iorga M, Chokhani S (2013) Cryptographic Key Management Issues & Challenges in Cloud Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7956. - - - - - IR 7966 - - Ylonen T, Turner P, Scarfone KA, Souppaya MP (2015) Security of Interactive and Automated Access Management Using Secure Shell (SSH). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 7966. - - - - - IR 8011-1 - - Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 1: Overview. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 1. - - - - - IR 8011-2 - - Dempsey KL, Eavy P, Moore G (2017) Automation Support for Security Control Assessments: Volume 2: Hardware Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 2. - - - - - IR 8011-3 - - Dempsey KL, Eavy P, Goren N, Moore G (2018) Automation Support for Security Control Assessments: Volume 3: Software Asset Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 3. - - - - - IR 8011-4 - - Dempsey KL, Takamura E, Eavy P, Moore G (2020) Automation Support for Security Control Assessments: Volume 4: Software Vulnerability Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8011, Volume 4. - - - - - IR 8023 - - Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023. - - - - - IR 8040 - - Greene KK, Kelsey JM, Franklin JM (2016) Measuring the Usability and Security of Permuted Passwords on Mobile Platforms. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8040. - - - - - IR 8062 - - Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062. - - - - - IR 8112 - - Grassi P, Lefkovitz N, Nadeau E, Galluzzo R, Dinh, A (2018) Attribute Metadata: A Proposed Schema for Evaluating Federated Attributes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8112. - - - - - IR 8179 - - Paulsen C, Boyens JM, Bartol N, Winkler K (2018) Criticality Analysis Process Model: Prioritizing Systems and Components. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8179. - - - - - IR 8272 - - Paulsen C, Winkler K, Boyens JM, Ng J, Gimbi J (2020) Impact Analysis Tool for Interdependent Cyber Supply Chain Risks. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8272. - - - - - ISO 15026-1 - - International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15026-1:2019, Systems and software engineering — Systems and software assurance — Part 1: Concepts and vocabulary , March 2019. - - - - - ISO 15288 - - International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 15288:2015, Systems and software engineering —Systems life cycle processes , May 2015. - - - - - ISO 15408-1 - - International Organization for Standardization/International Electrotechnical Commission 15408-1:2009, Information technology —Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model , April 2017. - - - - - ISO 15408-2 - - International Organization for Standardization/International Electrotechnical Commission 15408-2:2008, Information technology —Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements , April 2017. - - - - - ISO 15408-3 - - International Organization for Standardization/International Electrotechnical Commission 15408-3:2008, Information technology—Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements , April 2017. - - - - - ISO 20243 - - International Organization for Standardization/International Electrotechnical Commission 20243-1:2018, Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations , February 2018. - - - - - ISO 25237 - - International Organization for Standardization/International Electrotechnical Commission 25237:2017, Health informatics —Pseudonymization , January 2017. - - - - - ISO 27036 - - International Organization for Standardization/International Electrotechnical Commission 27036-1:2014, Information technology—Security techniques—Information security for supplier relationships, Part 1: Overview and concepts , April 2014. - - - - - ISO 29100 - - International Organization for Standardization/International Electrotechnical Commission 29100:2011, Information technology—Security techniques—Privacy framework , December 2011. - - - - - ISO 29147 - - International Organization for Standardization/International Electrotechnical Commission 29147:2018, Information technology—Security techniques—Vulnerability disclosure , October 2018. - - - - - ISO 29148 - - International Organization for Standardization/International Electrotechnical Commission/Institute of Electrical and Electronics Engineers (ISO/IEC/IEEE) 29148:2018, Systems and software engineering—Life cycle processes—Requirements engineering , November 2018. - - - - - LAMPSON73 - - B. W. Lampson, A Note on the Confinement Problem , Communications of the ACM 16, 10, pp. 613-615, October 1973. - - - - NARA CUI - - National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry. - - - - - NCPR - - National Institute of Standards and Technology (2020) National Checklist Program Repository . Available at - - - - - NEUM04 - - Principled Assuredly Trustworthy Composable Architectures , P. Neumann, CDRL A001 Final Report, SRI International, December 2004. - - - - - NIAP CCEVS - - National Information Assurance Partnership, Common Criteria Evaluation and Validation Scheme. - - - - - NIST CAVP - - National Institute of Standards and Technology (2020) Cryptographic Algorithm Validation Program . Available at - - - - - NIST CMVP - - National Institute of Standards and Technology (2020) Cryptographic Module Validation Program . Available at - - - - - NIST CSF - - National Institute of Standards and Technology (2018) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. (National Institute of Standards and Technology, Gaithersburg, MD). - - - - - NIST PF - - National Institute of Standards and Technology (2020) Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, Version 1.0. (National Institute of Standards and Technology, Gaithersburg, MD). - - - - - NITP12 - - Presidential Memorandum for the Heads of Executive Departments and Agencies, National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs , November 2012. - - - - - NSA CSFC - - National Security Agency, Commercial Solutions for Classified Program (CSfC). - - - - - NSA MEDIA - - National Security Agency, Media Destruction Guidance. - - - - - NVD 800-53 - - National Institute of Standards and Technology (2020) National Vulnerability Database: NIST Special Publication 800-53 [database of controls]. Available at - - - - - ODNI CTF - - Office of the Director of National Intelligence (ODNI) Cyber Threat Framework. - - - - - ODNI NITP - - Office of the Director National Intelligence, National Insider Threat Policy - - - - - OMB A-108 - - Office of Management and Budget Memorandum Circular A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act , December 2016. - - - - - OMB A-130 - - Office of Management and Budget Memorandum Circular A-130, Managing Information as a Strategic Resource , July 2016. - - - - - OMB M-03-22 - - Office of Management and Budget Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 , September 2003. https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2003/m03_22.pdf - - - - - OMB M-08-05 - - Office of Management and Budget Memorandum M-08-05, Implementation of Trusted Internet Connections (TIC) , November 2007. - - - - - OMB M-17-06 - - Office of Management and Budget Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services , November 2016. - - - - - OMB M-17-12 - - Office of Management and Budget Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information , January 2017. - - - - - OMB M-17-25 - - Office of Management and Budget Memorandum M-17-25, Reporting Guidance for Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure , May 2017. - - - - - OMB M-19-03 - - Office of Management and Budget Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by Enhancing the High Value Asset Program , December 2018. - - - - - OMB M-19-15 - - Office of Management and Budget Memorandum M-19-15, Improving Implementation of the Information Quality Act , April 2019. - - - - - OMB M-19-23 - - Office of Management and Budget Memorandum M-19-23, Phase 1 Implementation of the Foundations for Evidence-Based Policymaking Act of 2018: Learning Agendas, Personnel, and Planning Guidance , July 2019. - - - - - POPEK74 - - G. Popek, The Principle of Kernel Design , in 1974 NCC, AFIPS Cong. Proc., Vol. 43, pp. 977-978. - - - - PRIVACT - - Privacy Act (P.L. 93-579), December 1974. - - - - - SALTZER75 - - J. Saltzer and M. Schroeder, The Protection of Information in Computer Systems , in Proceedings of the IEEE 63(9), September 1975, pp. 1278-1308. - - - - SP 800-100 - - Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007. - - - - - SP 800-101 - - Ayers RP, Brothers S, Jansen W (2014) Guidelines on Mobile Device Forensics. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-101, Rev. 1. - - - - - SP 800-111 - - Scarfone KA, Souppaya MP, Sexton M (2007) Guide to Storage Encryption Technologies for End User Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-111. - - - - - SP 800-113 - - Frankel SE, Hoffman P, Orebaugh AD, Park R (2008) Guide to SSL VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-113. - - - - - SP 800-114 - - Souppaya MP, Scarfone KA (2016) User's Guide to Telework and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-114, Rev. 1. - - - - - SP 800-115 - - Scarfone KA, Souppaya MP, Cody A, Orebaugh AD (2008) Technical Guide to Information Security Testing and Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-115. - - - - - SP 800-116 - - Ferraiolo H, Mehta KL, Ghadiali N, Mohler J, Johnson V, Brady S (2018) A Recommendation for the Use of PIV Credentials in Physical Access Control Systems (PACS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-116, Rev. 1. - - - - - SP 800-121 - - Padgette J, Bahr J, Holtmann M, Batra M, Chen L, Smithbey R, Scarfone KA (2017) Guide to Bluetooth Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-121, Rev. 2. - - - - - SP 800-124 - - Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1. - - - - - SP 800-125B - - Chandramouli R (2016) Secure Virtual Network Configuration for Virtual Machine (VM) Protection. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-125B. - - - - - SP 800-126 - - Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3. - - - - - SP 800-128 - - Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019. - - - - - SP 800-12 - - Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1. - - - - - SP 800-130 - - Barker EB, Smid ME, Branstad DK, Chokhani S (2013) A Framework for Designing Cryptographic Key Management Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-130. - - - - - SP 800-137A - - Dempsey KL, Pillitteri VY, Baer C, Niemeyer R, Rudman R, Urban S (2020) Assessing Information Security Continuous Monitoring (ISCM) Programs: Developing an ISCM Program Assessment. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137A. - - - - - SP 800-137 - - Dempsey KL, Chawla NS, Johnson LA, Johnston R, Jones AC, Orebaugh AD, Scholl MA, Stine KM (2011) Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-137. - - - - - SP 800-147 - - Cooper DA, Polk T, Regenscheid AR, Souppaya MP (2011) BIOS Protection Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-147. - - - - - SP 800-150 - - Johnson CS, Waltermire DA, Badger ML, Skorupka C, Snyder J (2016) Guide to Cyber Threat Information Sharing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-150. - - - - - SP 800-152 - - Barker EB, Branstad DK, Smid ME (2015) A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-152. - - - - - SP 800-154 - - Souppaya MP, Scarfone KA (2016) Guide to Data-Centric System Threat Modeling. (National Institute of Standards and Technology, Gaithersburg, MD), Draft NIST Special Publication (SP) 800-154. - - - - - SP 800-156 - - Ferraiolo H, Chandramouli R, Mehta KL, Mohler J, Skordinski S, Brady S (2016) Representation of PIV Chain-of-Trust for Import and Export. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-156. - - - - - SP 800-160-1 - - Ross RS, Oren JC, McEvilley M (2016) Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 1, Includes updates as of March 21, 2018. - - - - - SP 800-160-2 - - Ross RS, Pillitteri VY, Graubart R, Bodeau D, McQuaid R (2019) Developing Cyber Resilient Systems: A Systems Security Engineering Approach. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-160, Vol. 2. - - - - - SP 800-161 - - Boyens JM, Paulsen C, Moorthy R, Bartol N (2015) Supply Chain Risk Management Practices for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-161. - - - - - SP 800-162 - - Hu VC, Ferraiolo DF, Kuhn R, Schnitzer A, Sandlin K, Miller R, Scarfone KA (2014) Guide to Attribute Based Access Control (ABAC) Definition and Considerations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-162, Includes updates as of August 2, 2019. - - - - - SP 800-166 - - Cooper DA, Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Brady S (2016) Derived PIV Application and Data Model Test Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-166. - - - - - SP 800-167 - - Sedgewick A, Souppaya MP, Scarfone KA (2015) Guide to Application Whitelisting. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-167. - - - - - SP 800-171 - - Ross RS, Pillitteri VY, Dempsey KL, Riddle M, Guissanie G (2020) Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-171, Rev. 2. - - - - - SP 800-172 - - Ross RS, Pillitteri VY, Graubart RD, Guissanie G, Wagner R, Bodeau D (2020) Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-172. - - - - - SP 800-177 - - Rose SW, Nightingale S, Garfinkel SL, Chandramouli R (2019) Trustworthy Email. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-177, Rev. 1. - - - - - SP 800-178 - - Ferraiolo DF, Hu VC, Kuhn R, Chandramouli R (2016) A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications: Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-178. - - - - - SP 800-181 - - Petersen R, Santos D, Smith MC, Wetzel KA, Witte G (2020) Workforce Framework for Cybersecurity (NICE Framework). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-181, Rev. 1. - - - - - SP 800-184 - - Bartock M, Scarfone KA, Smith MC, Witte GA, Cichonski JA, Souppaya MP (2016) Guide for Cybersecurity Event Recovery. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-184. - - - - - SP 800-188 - - Garfinkel S (2016) De-Identifying Government Datasets. (National Institute of Standards and Technology, Gaithersburg, MD), Second Draft NIST Special Publication (SP) 800-188. - - - - - SP 800-189 - - Sriram K, Montgomery D (2019) Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-189. - - - - - SP 800-18 - - Swanson MA, Hash J, Bowen P (2006) Guide for Developing Security Plans for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-18, Rev. 1. - - - - - SP 800-192 - - Yaga DJ, Kuhn R, Hu VC (2017) Verification and Test Methods for Access Control Policies/Models. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-192. - - - - - SP 800-28 - - Jansen W, Winograd T, Scarfone KA (2008) Guidelines on Active Content and Mobile Code. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-28, Version 2. - - - - - SP 800-30 - - Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1. - - - - - SP 800-32 - - Kuhn R, Hu VC, Polk T, Chang S-J (2001) Introduction to Public Key Technology and the Federal PKI Infrastructure. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-32. - - - - - SP 800-34 - - Swanson MA, Bowen P, Phillips AW, Gallup D, Lynes D (2010) Contingency Planning Guide for Federal Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-34, Rev. 1, Includes updates as of November 11, 2010. - - - - - SP 800-35 - - Grance T, Hash J, Stevens M, O'Neal K, Bartol N (2003) Guide to Information Technology Security Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-35. - - - - - SP 800-37 - - Joint Task Force (2018) Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-37, Rev. 2. - - - - - SP 800-39 - - Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39. - - - - - SP 800-40 - - Souppaya MP, Scarfone KA (2013) Guide to Enterprise Patch Management Technologies. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-40, Rev. 3. - - - - - SP 800-41 - - Scarfone KA, Hoffman P (2009) Guidelines on Firewalls and Firewall Policy. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-41, Rev. 1. - - - - - SP 800-45 - - Tracy MC, Jansen W, Scarfone KA, Butterfield J (2007) Guidelines on Electronic Mail Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-45, Version 2. - - - - - SP 800-46 - - Souppaya MP, Scarfone KA (2016) Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-46, Rev. 2. - - - - - SP 800-47 - - Grance T, Hash J, Peck S, Smith J, Korow-Diks K (2002) Security Guide for Interconnecting Information Technology Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-47. - - - - - SP 800-50 - - Wilson M, Hash J (2003) Building an Information Technology Security Awareness and Training Program. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-50. - - - - - SP 800-52 - - McKay KA, Cooper DA (2019) Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-52, Rev. 2. - - - - - SP 800-53 RES - - NIST Special Publication 800-53, Revision 5 Resource Center. - - - - - SP 800-53A - - Joint Task Force Transformation Initiative (2014) Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53A, Rev. 4, Includes updates as of December 18, 2014. - - - - - SP 800-53B - - Joint Task Force (2020) Control Baselines and Tailoring Guidance for Federal Information Systems and Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-53B. - - - - - SP 800-55 - - Chew E, Swanson MA, Stine KM, Bartol N, Brown A, Robinson W (2008) Performance Measurement Guide for Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-55, Rev. 1. - - - - - SP 800-56A - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R (2018) Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56A, Rev. 3. - - - - - SP 800-56B - - Barker EB, Chen L, Roginsky A, Vassilev A, Davis R, Simon S (2019) Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56B, Rev. 2. - - - - - SP 800-56C - - Barker EB, Chen L, Davis R (2020) Recommendation for Key-Derivation Methods in Key-Establishment Schemes. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-56C, Rev. 2. - - - - - SP 800-57-1 - - Barker EB (2020) Recommendation for Key Management: Part 1 – General. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 1, Rev. 5. - - - - - SP 800-57-2 - - Barker EB, Barker WC (2019) Recommendation for Key Management: Part 2 – Best Practices for Key Management Organizations. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 2, Rev. 1. - - - - - SP 800-57-3 - - Barker EB, Dang QH (2015) Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-57 Part 3, Rev. 1. - - - - - SP 800-60-1 - - Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1. - - - - - SP 800-60-2 - - Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1. - - - - - SP 800-61 - - Cichonski PR, Millar T, Grance T, Scarfone KA (2012) Computer Security Incident Handling Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-61, Rev. 2. - - - - - SP 800-63-3 - - Grassi PA, Garcia ME, Fenton JL (2017) Digital Identity Guidelines. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63-3, Includes updates as of March 2, 2020. - - - - - SP 800-63A - - Grassi PA, Fenton JL, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Enrollment and Identity Proofing. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63A, Includes updates as of March 2, 2020. - - - - - SP 800-63B - - Grassi PA, Fenton JL, Newton EM, Perlner RA, Regenscheid AR, Burr WE, Richer, JP, Lefkovitz NB, Danker JM, Choong Y-Y, Greene KK, Theofanos MF (2017) Digital Identity Guidelines: Authentication and Lifecycle Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-63B, Includes updates as of March 2, 2020. - - - - - SP 800-70 - - Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4. - - - - - SP 800-73-4 - - Cooper DA, Ferraiolo H, Mehta KL, Francomacaro S, Chandramouli R, Mohler J (2015) Interfaces for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-73-4, Includes updates as of February 8, 2016. - - - - - SP 800-76-2 - - Grother PJ, Salamon WJ, Chandramouli R (2013) Biometric Specifications for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-76-2. - - - - - SP 800-77 - - Barker EB, Dang QH, Frankel SE, Scarfone KA, Wouters P (2020) Guide to IPsec VPNs. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-77, Rev. 1. - - - - - SP 800-78-4 - - Polk T, Dodson DF, Burr WE, Ferraiolo H, Cooper DA (2015) Cryptographic Algorithms and Key Sizes for Personal Identity Verification. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-78-4. - - - - - SP 800-79-2 - - Ferraiolo H, Chandramouli R, Ghadiali N, Mohler J, Shorter S (2015) Guidelines for the Authorization of Personal Identity Verification Card Issuers (PCI) and Derived PIV Credential Issuers (DPCI). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-79-2. - - - - - SP 800-81-2 - - Chandramouli R, Rose SW (2013) Secure Domain Name System (DNS) Deployment Guide. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-81-2. - - - - - SP 800-82 - - Stouffer KA, Lightman S, Pillitteri VY, Abrams M, Hahn A (2015) Guide to Industrial Control Systems (ICS) Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-82, Rev. 2. - - - - - SP 800-83 - - Souppaya MP, Scarfone KA (2013) Guide to Malware Incident Prevention and Handling for Desktops and Laptops. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-83, Rev. 1. - - - - - SP 800-84 - - Grance T, Nolan T, Burke K, Dudley R, White G, Good T (2006) Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-84. - - - - - SP 800-86 - - Kent K, Chevalier S, Grance T, Dang H (2006) Guide to Integrating Forensic Techniques into Incident Response. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-86. - - - - - SP 800-88 - - Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1. - - - - - SP 800-92 - - Kent K, Souppaya MP (2006) Guide to Computer Security Log Management. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-92. - - - - - SP 800-94 - - Scarfone KA, Mell PM (2007) Guide to Intrusion Detection and Prevention Systems (IDPS). (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-94. - - - - - SP 800-95 - - Singhal A, Winograd T, Scarfone KA (2007) Guide to Secure Web Services. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-95. - - - - - SP 800-97 - - Frankel SE, Eydt B, Owens L, Scarfone KA (2007) Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-97. - - - - - USA PATRIOT - - USA Patriot Act (P.L. 107-56), October 2001. - - - - - USC 11101 - - Definitions, Title 40 U.S. Code, Sec. 11101. 2018 ed. - - - - - USC 2901 - - United States Code, 2008 Edition, Title 44 - Public Printing and Documents , Chapters 29, 31, and 33, January 2012. - - - - - USC 3502 - - Definitions, Title 44 U.S. Code, Sec. 3502. 2011 ed. - - - - - USC 552 - - United States Code, 2006 Edition, Supplement 4, Title 5 - Government Organization and Employees , January 2011. - - - - - USCERT IR - - Department of Homeland Security, US-CERT Federal Incident Notification Guidelines , April 2017. - - - - - USGCB - - National Institute of Standards and Technology (2020) United States Government Configuration Baseline . Available at - - - - - NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (PDF) - - - - NIST Special Publication 800-53, Revision 5: <em> Security and Privacy Controls for Information Systems and Organizations</em> (DOI link) - - - - \ No newline at end of file +