User Tools

Site Tools


Sidebar

Quick Start

Tags


Clauses


* Applies to DLZP Associates

Compliance Policies


Compliance Library

NIST SP 800-171A

NIST SP 800-171A Appendix D


Contact your DLZP Group Account Manager if you're unable to View Client Resources


catalog:800-171a

3.1 ACCESS CONTROL

3.1.1

3.1.1SECURITY REQUIREMENT
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
ASSESSMENT OBJECTIVE
Determine if:
3.1.1[a]authorized users are identified.
3.1.1[b]processes acting on behalf of authorized users are identified.
3.1.1[c]devices (and other systems) authorized to connect to the system are identified.
3.1.1[d]system access is limited to authorized users.
3.1.1[e]system access is limited to processes acting on behalf of authorized users.
3.1.1[f]system access is limited to authorized devices (including other systems).
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; notifications or records of recently transferred, separated, or terminated employees; list of conditions for group and role membership; list of recently disabled system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; system monitoring records; system audit logs and records; list of devices and systems authorized to connect to organizational systems; other relevant documents or records].

Interview: [SELECT FROM: Personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for managing system accounts; mechanisms for implementing account management].

3.1.2

3.1.2SECURITY REQUIREMENT
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
ASSESSMENT OBJECTIVE
Determine if:
3.1.2[a]the types of transactions and functions that authorized users are permitted to execute are defined.
3.1.2[b]system access is limited to the defined types of transactions and functions for authorized users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; system security plan; system design documentation; list of approved authorizations including remote access authorizations; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel with access enforcement responsibilities; system or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing access control policy].

3.1.3

3.1.3SECURITY REQUIREMENT
Control the flow of CUI in accordance with approved authorizations.
ASSESSMENT OBJECTIVE
Determine if:
3.1.3[a]information flow control policies are defined.
3.1.3[b]methods and enforcement mechanisms for controlling the flow of CUI are defined.
3.1.3[c]designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified.
3.1.3[d]authorizations for controlling the flow of CUI are defined.
3.1.3[e]approved authorizations for controlling the flow of CUI are enforced.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; information flow control policies; procedures addressing information flow enforcement; system security plan; system design documentation; system configuration settings and associated documentation; list of information flow authorizations; system baseline configuration; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers]. \\Test: [SELECT FROM: Mechanisms implementing information flow enforcement policy].

3.1.4

3.1.4SECURITY REQUIREMENT
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
ASSESSMENT OBJECTIVE
Determine if:
3.1.4[a]the duties of individuals requiring separation are defined.
3.1.4[b]responsibilities for duties that require separation are assigned to separate individuals.
3.1.4[c]access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; system security plan; system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; system access authorizations; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for defining divisions of responsibility and separation of duties; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing separation of duties policy].

3.1.5

3.1.5SECURITY REQUIREMENT
Employ the principle of least privilege, including for specific security functions and privileged accounts.
ASSESSMENT OBJECTIVE
Determine if:
3.1.5[a]privileged accounts are identified.
3.1.5[b]access to privileged accounts is authorized in accordance with the principle of least privilege.
3.1.5[c]security functions are identified.
3.1.5[d]access to security functions is authorized in accordance with the principle of least privilege.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of active system accounts and the name of the individual associated with each account; list of conditions for group and role membership; notifications or records of recently transferred, separated, or terminated employees; list of recently disabled system accounts along with the name of the individual associated with each account; access authorization records; account management compliance reviews; system monitoring/audit records; procedures addressing least privilege; list of security functions (deployed in hardware, software, and firmware) and security-relevant information for which access is to be explicitly authorized; list of system-generated privileged accounts; list of system administration personnel; other relevant documents or records].

Interview: [SELECT FROM: Personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities; personnel with responsibilities for defining least privileges necessary to accomplish specified tasks].
Test: [SELECT FROM: Organizational processes for managing system accounts; mechanisms for implementing account management; mechanisms implementing least privilege functions; mechanisms prohibiting privileged access to the system].

3.1.6

3.1.6SECURITY REQUIREMENT
Use non-privileged accounts or roles when accessing nonsecurity functions.
ASSESSMENT OBJECTIVE
Determine if:
3.1.6[a]nonsecurity functions are identified.
3.1.6[b]users are required to use non-privileged accounts or roles when accessing nonsecurity functions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; system security plan; list of system-generated security functions assigned to system accounts or roles; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for defining least privileges necessary to accomplish specified organizational tasks; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing least privilege functions].

3.1.7

3.1.7SECURITY REQUIREMENT
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
ASSESSMENT OBJECTIVE
Determine if:
3.1.7[a]privileged functions are defined.
3.1.7[b]non-privileged users are defined.
3.1.7[c]non-privileged users are prevented from executing privileged functions.
3.1.7[d]the execution of privileged functions is captured in audit logs.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing least privilege; system security plan; system design documentation; list of privileged functions and associated user account assignments; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for defining least privileges necessary to accomplish specified tasks; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing least privilege functions for non-privileged users; mechanisms auditing the execution of privileged functions].

3.1.8

3.1.8SECURITY REQUIREMENT
Limit unsuccessful logon attempts.
ASSESSMENT OBJECTIVE
Determine if:
3.1.8[a]the means of limiting unsuccessful logon attempts is defined.
3.1.8[b]the defined means of limiting unsuccessful logon attempts is implemented.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing unsuccessful logon attempts; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with information security responsibilities; system developers; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing access control policy for unsuccessful logon attempts].

3.1.9

3.1.9SECURITY REQUIREMENT
Provide privacy and security notices consistent with applicable CUI rules.
ASSESSMENT OBJECTIVE
Determine if:
3.1.9[a]privacy and security notices required by CUI-specified rules are identified, consistent, and associated with the specific CUI category.
3.1.9[b]privacy and security notices are displayed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Privacy and security policies, procedures addressing system use notification; documented approval of system use notification messages or banners; system audit logs and records; system design documentation; user acknowledgments of notification message or banner; system security plan; system use notification messages; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibility for providing legal advice; system developers].
Test: [SELECT FROM: Mechanisms implementing system use notification].

3.1.10

3.1.10SECURITY REQUIREMENT
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
ASSESSMENT OBJECTIVE
Determine if:
3.1.10[a]the period of inactivity after which the system initiates a session lock is defined.
3.1.10[b]access to the system and viewing of data is prevented by initiating a session lock after the defined period of inactivity.
3.1.10[c]previously visible information is concealed via a pattern-hiding display after the defined period of inactivity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing session lock; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; system security plan; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing access control policy for session lock].

3.1.11

3.1.11SECURITY REQUIREMENT
Terminate (automatically) a user session after a defined condition.
ASSESSMENT OBJECTIVE
Determine if:
3.1.11[a]conditions requiring a user session to terminate are defined.
3.1.11[b]a user session is automatically terminated after any of the defined conditions occur.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing session termination; system design documentation; system security plan; system configuration settings and associated documentation; list of conditions or trigger events requiring session disconnect; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing user session termination].

3.1.12

3.1.12SECURITY REQUIREMENT
Monitor and control remote access sessions.
ASSESSMENT OBJECTIVE
Determine if:
3.1.12[a]remote access sessions are permitted.
3.1.12[b]the types of permitted remote access are identified.
3.1.12[c]remote access sessions are controlled.
3.1.12[d]remote access sessions are monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing remote access implementation and usage (including restrictions); configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; remote access authorizations; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for managing remote access connections; system or network administrators; personnel with information security responsibilities]. \\Test: [SELECT FROM: Remote access management capability for the system].

3.1.13

3.1.13SECURITY REQUIREMENT
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
ASSESSMENT OBJECTIVE
Determine if:
3.1.13[a]cryptographic mechanisms to protect the confidentiality of remote access sessions are identified.
3.1.13[b]cryptographic mechanisms to protect the confidentiality of remote access sessions are implemented.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine:[SELECT FROM: Access control policy; procedures addressing remote access to the system; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Cryptographic mechanisms protecting remote access sessions].

3.1.14

3.1.14SECURITY REQUIREMENT
Route remote access via managed access control points.
ASSESSMENT OBJECTIVE
Determine if:
3.1.14[a]managed access control points are identified and implemented.
3.1.14[b]remote access is routed through managed network access control points.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the system; system security plan; system design documentation; list of all managed network access control points; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms routing all remote accesses through managed network access control points].

3.1.15

3.1.15SECURITY REQUIREMENT
Authorize remote execution of privileged commands and remote access to security- relevant information.
ASSESSMENT OBJECTIVE
Determine if:
3.1.15[a]privileged commands authorized for remote execution are identified.
3.1.15[b]security-relevant information authorized to be accessed remotely is identified.
3.1.15[c]the execution of the identified privileged commands via remote access is authorized.
3.1.15[d]access to the identified security-relevant information via remote access is authorized.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing remote access to the system; system configuration settings and associated documentation; system security plan; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing remote access management].

3.1.16

3.1.16SECURITY REQUIREMENT
Authorize wireless access prior to allowing such connections.
ASSESSMENT OBJECTIVE
Determine if:
3.1.16[a]wireless access points are identified.
3.1.16[b]wireless access is authorized prior to allowing such connections.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; configuration management plan; procedures addressing wireless access implementation and usage (including restrictions); system security plan; system design documentation; system configuration settings and associated documentation; wireless access authorizations; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for managing wireless access connections; personnel with information security responsibilities].
Test: [SELECT FROM: Wireless access management capability for the system].

3.1.17

3.1.17SECURITY REQUIREMENT
Protect wireless access using authentication and encryption.
ASSESSMENT OBJECTIVE
Determine if:
3.1.17[a]wireless access to the system is protected using authentication.
3.1.17[b]wireless access to the system is protected using encryption.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; system design documentation; procedures addressing wireless implementation and usage (including restrictions); system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developers].
Test: [SELECT FROM: Mechanisms implementing wireless access protections to the system].

3.1.18

3.1.18SECURITY REQUIREMENT
Control connection of mobile devices.
ASSESSMENT OBJECTIVE
Determine if:
3.1.18[a]mobile devices that process, store, or transmit CUI are identified.
3.1.18[b]mobile device connections are authorized.
3.1.18[c]mobile device connections are monitored and logged.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; authorizations for mobile device connections to organizational systems; procedures addressing access control for mobile device usage (including restrictions); system design documentation; configuration management plan; system security plan; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: Personnel using mobile devices to access organizational systems; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Access control capability authorizing mobile device connections to organizational systems].

3.1.19

3.1.19SECURITY REQUIREMENT
Encrypt CUI on mobile devices and mobile computing platforms.
ASSESSMENT OBJECTIVE
Determine if:
3.1.19[a]mobile devices and mobile computing platforms that process, store, or transmit CUI are identified.
3.1.19[b]encryption is employed to protect CUI on identified mobile devices and mobile computing platforms.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing access control for mobile devices; system design documentation; system configuration settings and associated documentation; encryption mechanisms and associated configuration documentation; system security plan; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with access control responsibilities for mobile devices; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Encryption mechanisms protecting confidentiality of information on mobile devices].

3.1.20

3.1.20SECURITY REQUIREMENT
Verify and control/limit connections to and use of external systems.
ASSESSMENT OBJECTIVE
Determine if:
3.1.20[a]connections to external systems are identified.
3.1.20[b]the use of external systems is identified.
3.1.20[c]connections to external systems are verified.
3.1.20[d]the use of external systems is verified.
3.1.20[e]connections to external systems are controlled/limited.
3.1.20[f]the use of external systems is controlled/limited.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; terms and conditions for external systems; system security plan; list of applications accessible from external systems; system configuration settings and associated documentation; system connection or processing agreements; account management documents; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing terms and conditions on use of external systems].

3.1.21

3.1.21SECURITY REQUIREMENT
Limit use of portable storage devices on external systems.
ASSESSMENT OBJECTIVE
Determine if:
3.1.21[a]the use of portable storage devices containing CUI on external systems is identified and documented.
3.1.21[b]limits on the use of portable storage devices containing CUI on external systems are defined.
3.1.21[c]the use of portable storage devices containing CUI on external systems is limited as defined.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing the use of external systems; system security plan; system configuration settings and associated documentation; system connection or processing agreements; account management documents; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external systems; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing restrictions on use of portable storage devices].

3.1.22

3.1.22SECURITY REQUIREMENT
Control CUI posted or processed on publicly accessible systems.
ASSESSMENT OBJECTIVE
Determine if:
3.1.22[a]individuals authorized to post or process information on publicly accessible systems are identified.
3.1.22[b]procedures to ensure CUI is not posted or processed on publicly accessible systems are identified.
3.1.22[c]a review process is in place prior to posting of any content to publicly accessible systems.
3.1.22[d]content on publicly accessible systems is reviewed to ensure that it does not include CUI.
3.1.22[e]mechanisms are in place to remove and address improper posting of CUI.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Access control policy; procedures addressing publicly accessible content; system security plan; list of users authorized to post publicly accessible content on organizational systems; training materials and/or records; records of publicly accessible information reviews; records of response to nonpublic information on public websites; system audit logs and records; security awareness training records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for managing publicly accessible information posted on organizational systems; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms implementing management of publicly accessible content].

3.2 AWARENESS AND TRAINING

3.2.1

3.2.1SECURITY REQUIREMENT
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
ASSESSMENT OBJECTIVE
Determine if:
3.2.1[a]security risks associated with organizational activities involving CUI are identified.
3.2.1[b]policies, standards, and procedures related to the security of the system are identified.
3.2.1[c]managers, systems administrators, and users of the system are made aware of the security risks associated with their activities.
3.2.1[d]managers, systems administrators, and users of the system are made aware of the applicable policies, standards, and procedures related to the security of the system.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; relevant codes of federal regulations; security awareness training curriculum; security awareness training materials; system security plan; training records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel composing the general system user community; personnel with responsibilities for role-based awareness training].
Test: [SELECT FROM: Mechanisms managing security awareness training; mechanisms managing role-based security training].

3.2.2

3.2.2SECURITY REQUIREMENT
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
ASSESSMENT OBJECTIVE
Determine if:
3.2.2[a]information security-related duties, roles, and responsibilities are defined.
3.2.2[b]information security-related duties, roles, and responsibilities are assigned to designated personnel.
3.2.2[c]personnel are adequately trained to carry out their assigned information security-related duties, roles, and responsibilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security training implementation; codes of federal regulations; security training curriculum; security training materials; system security plan; training records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for role-based security training; personnel with assigned system security roles and responsibilities; personnel with responsibilities for security awareness training; personnel with information security responsibilities; personnel representing the general system user community].
Test: [SELECT FROM: Mechanisms managing role-based security training; mechanisms managing security awareness training].

3.2.3

3.2.3SECURITY REQUIREMENT
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
ASSESSMENT OBJECTIVE
Determine if:
3.2.3[a]potential indicators associated with insider threats are identified.
3.2.3[b]security awareness training on recognizing and reporting potential indicators of insider threat is provided to managers and employees.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security awareness and training policy; procedures addressing security awareness training implementation; security awareness training curriculum; security awareness training materials; insider threat policy and procedures; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel that participate in security awareness training; personnel with responsibilities for basic security awareness training; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms managing insider threat training].

3.3 AUDIT AND ACCOUNTABILITY

3.3.1

3.3.1SECURITY REQUIREMENT
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
ASSESSMENT OBJECTIVE
Determine if:
3.3.1[a]audit logs needed (i.e., event types to be logged) to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity are specified.
3.3.1[b]the content of audit records needed to support monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity is defined.
3.3.1[c]audit records are created (generated).
3.3.1[d]audit records, once created, contain the defined content.
3.3.1[e]retention requirements for audit records are defined.
3.3.1[f]audit records are retained as defined.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing auditable events; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing control of audit records; procedures addressing audit record generation; system audit logs and records; system auditable events; system incident reports; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; personnel with audit review, analysis and reporting responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing system audit logging].

3.3.2

3.3.2SECURITY REQUIREMENT
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
ASSESSMENT OBJECTIVE
Determine if:
3.3.2[a]the content of the audit records needed to support the ability to uniquely trace users to their actions is defined.
3.3.2[b]audit records, once created, contain the defined content.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit records and event types; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing audit record generation; procedures addressing audit review, analysis, and reporting; reports of audit findings; system audit logs and records; system events; system incident reports; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing system audit logging].

3.3.3

3.3.3SECURITY REQUIREMENT
Review and update logged events.
ASSESSMENT OBJECTIVE
Determine if:
3.3.3[a]a process for determining when to review logged events is defined.
3.3.3[b]event types being logged are reviewed in accordance with the defined review process.
3.3.3[c]event types being logged are updated based on the review.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit records and event types; system security plan; list of organization-defined event types to be logged; reviewed and updated records of logged event types; system audit logs and records; system incident reports; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting review and update of logged event types].

3.3.4

3.3.4SECURITY REQUIREMENT
Alert in the event of an audit logging process failure.
ASSESSMENT OBJECTIVE
Determine if:
3.3.4[a]personnel or roles to be alerted in the event of an audit logging process failure are identified.
3.3.4[b]types of audit logging process failures for which alert will be generated are defined.
3.3.4[c]identified personnel or roles are alerted in the event of an audit logging process failure.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing response to audit logging processing failures; system design documentation; system security plan; system configuration settings and associated documentation; list of personnel to be notified in case of an audit logging processing failure; system incident reports; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms implementing system response to audit logging processing failures].

3.3.5

3.3.5SECURITY REQUIREMENT
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
ASSESSMENT OBJECTIVE
Determine if:
3.3.5[a]audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity are defined.
3.3.5[b]defined audit record review, analysis, and reporting processes are correlated.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record review, analysis, and reporting; system security plan; system design documentation; system configuration settings and associated documentation; procedures addressing investigation of and response to suspicious activities; system audit logs and records across different repositories; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit record review, analysis, and reporting responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting analysis and correlation of audit records; mechanisms integrating audit review, analysis and reporting].

3.3.6

3.3.6SECURITY REQUIREMENT
Provide audit record reduction and report generation to support on-demand analysis and reporting.
ASSESSMENT OBJECTIVE
Determine if:
3.3.6[a]an audit record reduction capability that supports on-demand analysis is provided.
3.3.6[b]a report generation capability that supports on-demand reporting is provided.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing audit record reduction and report generation; system design documentation; system security plan; system configuration settings and associated documentation; audit record reduction, review, analysis, and reporting tools; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit record reduction and report generation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Audit record reduction and report generation capability].

3.3.7

3.3.7SECURITY REQUIREMENT
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
ASSESSMENT OBJECTIVE
Determine if:
3.3.7[a]internal system clocks are used to generate time stamps for audit records.
3.3.7[b]an authoritative source with which to compare and synchronize internal system clocks is specified.
3.3.7[c]internal system clocks used to generate time stamps for audit records are compared to and synchronized with the specified authoritative time source.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; procedures addressing time stamp generation; system design documentation; system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms implementing time stamp generation; mechanisms implementing internal information system clock synchronization].

3.3.8

3.3.8SECURITY REQUIREMENT
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
ASSESSMENT OBJECTIVE
Determine if:
3.3.8[a]audit information is protected from unauthorized access.
3.3.8[b]audit information is protected from unauthorized modification.
3.3.8[c]audit information is protected from unauthorized deletion.
3.3.8[d]audit logging tools are protected from unauthorized access.
3.3.8[e]audit logging tools are protected from unauthorized modification.
3.3.8[f]audit logging tools are protected from unauthorized deletion.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; access control policy and procedures; procedures addressing protection of audit information; system security plan; system design documentation; system configuration settings and associated documentation, system audit logs and records; audit logging tools; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms implementing audit information protection].

3.3.9

3.3.9SECURITY REQUIREMENT
Limit management of audit logging functionality to a subset of privileged users.
ASSESSMENT OBJECTIVE
Determine if:
3.3.9[a]a subset of privileged users granted access to manage audit logging functionality is defined.
3.3.9[b]management of audit logging functionality is limited to the defined subset of privileged users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Audit and accountability policy; access control policy and procedures; procedures addressing protection of audit information; system security plan; system design documentation; system configuration settings and associated documentation; access authorizations; system-generated list of privileged users with access to management of audit logging functionality; access control list; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with audit and accountability responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms managing access to audit logging functionality].

3.4 CONFIGURATION MANAGEMENT

3.4.1

3.4.1SECURITY REQUIREMENT
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
ASSESSMENT OBJECTIVE
Determine if:
3.4.1[a]a baseline configuration is established.
3.4.1[b]the baseline configuration includes hardware, software, firmware, and documentation.
3.4.1[c]the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.
3.4.1[d]a system inventory is established.
3.4.1[e]the system inventory includes hardware, software, firmware, and documentation.
3.4.1[f]the inventory is maintained (reviewed and updated) throughout the system development life cycle.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; procedures addressing system inventory; system security plan; configuration management plan; system inventory records; inventory review and update records; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system component installation records; system component removal records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with configuration management responsibilities; personnel with responsibilities for establishing the system inventory; personnel with responsibilities for updating the system inventory; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing baseline configurations; mechanisms supporting configuration control of the baseline configuration; organizational processes for developing and documenting an inventory of system components; organizational processes for updating inventory of system components; mechanisms supporting or implementing the system inventory; mechanisms implementing updating of the system inventory].

3.4.2

3.4.2SECURITY REQUIREMENT
Establish and enforce security configuration settings for information technology products employed in organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.4.2[a]security configuration settings for information technology products employed in the system are established and included in the baseline configuration.
3.4.2[b]security configuration settings for information technology products employed in the system are enforced.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; baseline configuration; procedures addressing configuration settings for the system; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; evidence supporting approved deviations from established configuration settings; change control records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing configuration settings; mechanisms that implement, monitor, and/or control system configuration settings; mechanisms that identify and/or document deviations from established configuration settings; processes for managing baseline configurations; mechanisms supporting configuration control of baseline configurations].

3.4.3

3.4.3SECURITY REQUIREMENT
Track, review, approve or disapprove, and log changes to organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.4.3[a]changes to the system are tracked.
3.4.3[b]changes to the system are reviewed.
3.4.3[c]changes to the system are approved or disapproved.
3.4.3[d]changes to the system are logged.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system architecture and configuration documentation; system security plan; change control records; system audit logs and records; change control audit and review reports; agenda/minutes from configuration change control oversight meetings; other relevant documents or records].

Interview: [SELECT FROM: Personnel with configuration change control responsibilities; personnel with information security responsibilities; system or network administrators; members of change control board or similar].
Test: [SELECT FROM: Organizational processes for configuration change control; mechanisms that implement configuration change control].

3.4.4

3.4.4SECURITY REQUIREMENT
Analyze the security impact of changes prior to implementation.
ASSESSMENT OBJECTIVE
Determine if the security impact of changes to the system is analyzed prior to implementation.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing security impact analysis for system changes; configuration management plan; security impact analysis documentation; system security plan; analysis tools and associated outputs; change control records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibility for conducting security impact analysis; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for security impact analysis].

3.4.5

3.4.5SECURITY REQUIREMENT
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.4.5[a]physical access restrictions associated with changes to the system are defined.
3.4.5[b]physical access restrictions associated with changes to the system are documented.
3.4.5[c]physical access restrictions associated with changes to the system are approved.
3.4.5[d]physical access restrictions associated with changes to the system are enforced.
3.4.5[e]logical access restrictions associated with changes to the system are defined.
3.4.5[f]logical access restrictions associated with changes to the system are documented.
3.4.5[g]logical access restrictions associated with changes to the system are approved.
3.4.5[h]logical access restrictions associated with changes to the system are enforced.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; system security plan; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; logical access approvals; physical access approvals; access credentials; change control records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with logical access control responsibilities; personnel with physical access control responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing access restrictions associated with changes to the system; mechanisms supporting, implementing, and enforcing access restrictions associated with changes to the system].

3.4.6

3.4.6SECURITY REQUIREMENT
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
ASSESSMENT OBJECTIVE
Determine if:
3.4.6[a]essential system capabilities are defined based on the principle of least functionality.
3.4.6[b]the system is configured to provide only the defined essential capabilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the system; system security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes prohibiting or restricting functions, ports, protocols, or services; mechanisms implementing restrictions or prohibition of functions, ports, protocols, or services].

3.4.7

3.4.7SECURITY REQUIREMENT
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
ASSESSMENT OBJECTIVE
Determine if:
3.4.7[a]essential programs are defined.
3.4.7[b]the use of nonessential programs is defined.
3.4.7[c]the use of nonessential programs is restricted, disabled, or prevented as defined.
3.4.7[d]essential functions are defined.
3.4.7[e]the use of nonessential functions is defined.
3.4.7[f]the use of nonessential functions is restricted, disabled, or prevented as defined.
3.4.7[g]essential ports are defined.
3.4.7[h]the use of nonessential ports is defined.
3.4.7[i]the use of nonessential ports is restricted, disabled, or prevented as defined.
3.4.7[j]essential protocols are defined.
3.4.7[k]the use of nonessential protocols is defined.
3.4.7[l]the use of nonessential protocols is restricted, disabled, or prevented as defined.
3.4.7[m]essential services are defined.
3.4.7[n]the use of nonessential services is defined.
3.4.7[o]the use of nonessential services is restricted, disabled, or prevented as defined.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; system security plan; system design documentation; security configuration checklists; system configuration settings and associated documentation; specifications for preventing software program execution; documented reviews of programs, functions, ports, protocols, and/or services; change control records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports, protocols, and services on the system; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Organizational processes for reviewing and disabling nonessential programs, functions, ports, protocols, or services; mechanisms implementing review and handling of nonessential programs, functions, ports, protocols, or services; organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; mechanisms supporting or implementing software program usage and restrictions; mechanisms preventing program execution on the system].

3.4.8

3.4.8SECURITY REQUIREMENT
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
ASSESSMENT OBJECTIVE
Determine if:
3.4.8[a]a policy specifying whether whitelisting or blacklisting is to be implemented is specified.
3.4.8[b]the software allowed to execute under whitelisting or denied use under blacklisting is specified.
3.4.8[c]whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; system security plan; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; list of software programs authorized to execute on the system; security configuration checklists; review and update records associated with list of authorized or unauthorized software programs; change control records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for identifying software authorized or not authorized to execute on the system; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized or not authorized to execute on the system; process for implementing blacklisting or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].

3.4.9

3.4.9SECURITY REQUIREMENT
Control and monitor user-installed software.
ASSESSMENT OBJECTIVE
Determine if:
3.4.9[a]a policy for controlling the installation of software by users is established.
3.4.9[b]installation of software by users is controlled based on the established policy.
3.4.9[c]installation of software by users is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Configuration management policy; procedures addressing user installed software; configuration management plan; system security plan; system design documentation; system configuration settings and associated documentation; list of rules governing user-installed software; system monitoring records; system audit logs and records; continuous monitoring strategy; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibilities for governing user-installed software; personnel operating, using, or maintaining the system; personnel monitoring compliance with user-installed software policy; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes governing user-installed software on the system; mechanisms enforcing rules or methods for governing the installation of software by users; mechanisms monitoring policy compliance].

3.5 IDENTIFICATION AND AUTHENTICATION

3.5.1

3.5.1SECURITY REQUIREMENT
Identify system users, processes acting on behalf of users, and devices.
ASSESSMENT OBJECTIVE
Determine if:
3.5.1[a]system users are identified.
3.5.1[b]processes acting on behalf of users are identified.
3.5.1[c]devices accessing the system are identified.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan, system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with information security responsibilities; system or network administrators; personnel with account management responsibilities; system developers].
Test: [SELECT FROM: Organizational processes for uniquely identifying and authenticating users; mechanisms supporting or implementing identification and authentication capability].

3.5.2

3.5.2SECURITY REQUIREMENT
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.5.2[a]the identity of each user is authenticated or verified as a prerequisite to system access.
3.5.2[b]the identity of each process acting on behalf of a user is authenticated or verified as a prerequisite to system access.
3.5.2[c]the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; system security plan; procedures addressing authenticator management; procedures addressing user identification and authentication; system design documentation; list of system authenticator types; system configuration settings and associated documentation; change control records associated with managing system authenticators; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms supporting or implementing authenticator management capability].

3.5.3

3.5.3SECURITY REQUIREMENT
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
ASSESSMENT OBJECTIVE
Determine if:
3.5.3[a]privileged accounts are identified.
3.5.3[b]multifactor authentication is implemented for local access to privileged accounts.
3.5.3[c]multifactor authentication is implemented for network access to privileged accounts.
3.5.3[d]multifactor authentication is implemented for network access to non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of system accounts; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing multifactor authentication capability].

3.5.4

3.5.4SECURITY REQUIREMENT
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
ASSESSMENT OBJECTIVE
Determine if replay-resistant authentication mechanisms are implemented for network account access to privileged and non-privileged accounts.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing user identification and authentication; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; list of privileged system accounts; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identification and authentication capability or replay resistant authentication mechanisms].

3.5.5

3.5.5SECURITY REQUIREMENT
Prevent reuse of identifiers for a defined period.
ASSESSMENT OBJECTIVE
Determine if:
3.5.5[a]a period within which identifiers cannot be reused is defined.
3.5.5[b]reuse of identifiers is prevented within the defined period.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].

Interview: [SELECT FROM: Personnel with identifier management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identifier management].

3.5.6

3.5.6SECURITY REQUIREMENT
Disable identifiers after a defined period of inactivity.
ASSESSMENT OBJECTIVE
Determine if:
3.5.6[a]a period of inactivity after which an identifier is disabled is defined.
3.5.6[b]identifiers are disabled after the defined period of inactivity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing identifier management; procedures addressing account management; system security plan; system design documentation; system configuration settings and associated documentation; list of system accounts; list of identifiers generated from physical access control devices; other relevant documents or records].

Interview: [SELECT FROM: Personnel with identifier management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing identifier management].

3.5.7

3.5.7SECURITY REQUIREMENT
Enforce a minimum password complexity and change of characters when new passwords are created.
ASSESSMENT OBJECTIVE
Determine if:
3.5.7[a]password complexity requirements are defined.
3.5.7[b]password change of character requirements are defined.
3.5.7[c]minimum password complexity requirements as defined are enforced when new passwords are created.
3.5.7[d]minimum password change of character requirements as defined are enforced when new passwords are created.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

3.5.8

3.5.8SECURITY REQUIREMENT
Prohibit password reuse for a specified number of generations.
ASSESSMENT OBJECTIVE
Determine if:
3.5.8[a]the number of generations during which a password cannot be reused is specified.
3.5.8[b]reuse of passwords is prohibited during the specified number of generations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

3.5.9

3.5.9SECURITY REQUIREMENT
Allow temporary password use for system logons with an immediate change to a permanent password.
ASSESSMENT OBJECTIVE
Determine if an immediate change to a permanent password is required when a temporary password is used for system logon.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

3.5.10

3.5.10SECURITY REQUIREMENT
Store and transmit only cryptographically-protected passwords.
ASSESSMENT OBJECTIVE
Determine if:
3.5.10[a]passwords are cryptographically protected in storage.
3.5.10[b]passwords are cryptographically protected in transit.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system configuration settings and associated documentation; system design documentation; password configurations and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with authenticator management responsibilities; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing password-based authenticator management capability].

3.5.11

3.5.11SECURITY REQUIREMENT
Obscure feedback of authentication information.
ASSESSMENT OBJECTIVE
Determine if authentication information is obscured during the authentication process.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Identification and authentication policy; procedures addressing authenticator feedback; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Mechanisms supporting or implementing the obscuring of feedback of authentication information during authentication].

3.6 INCIDENT RESPONSE

3.6.1

3.6.1SECURITY REQUIREMENT
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
ASSESSMENT OBJECTIVE
Determine if:
3.6.1[a]an operational incident-handling capability is established.
3.6.1[b]the operational incident-handling capability includes preparation.
3.6.1[c]the operational incident-handling capability includes detection.
3.6.1[d]the operational incident-handling capability includes analysis.
3.6.1[e]the operational incident-handling capability includes containment.
3.6.1[f]the operational incident-handling capability includes recovery.
3.6.1[g]the operational incident-handling capability includes user response activities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident handling; procedures addressing incident response assistance; incident response plan; contingency plan; system security plan; procedures addressing incident response training; incident response training curriculum; incident response training materials; incident response training records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with incident handling responsibilities; personnel with contingency planning responsibilities; personnel with incident response training and operational responsibilities; personnel with incident response assistance and support responsibilities; personnel with access to incident response support and assistance capability; personnel with information security responsibilities].
Test: [SELECT FROM: Incident-handling capability for the organization; organizational processes for incident response assistance; mechanisms supporting or implementing incident response assistance].

3.6.2

3.6.2SECURITY REQUIREMENT
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
ASSESSMENT OBJECTIVE
Determine if:
3.6.2[a]incidents are tracked.
3.6.2[b]incidents are documented.
3.6.2[c]authorities to whom incidents are to be reported are identified.
3.6.2[d]organizational officials to whom incidents are to be reported are identified.
3.6.2[e]identified authorities are notified of incidents.
3.6.2[f]identified organizational officials are notified of incidents.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Incident response policy; procedures addressing incident monitoring; incident response records and documentation; procedures addressing incident reporting; incident reporting records and documentation; incident response plan; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with incident monitoring responsibilities; personnel with incident reporting responsibilities; personnel who have or should have reported incidents; personnel (authorities) to whom incident information is to be reported; personnel with information security responsibilities].
Test: [SELECT FROM: Incident monitoring capability for the organization; mechanisms supporting or implementing tracking and documenting of system security incidents; organizational processes for incident reporting; mechanisms supporting or implementing incident reporting].

3.6.3

3.6.3SECURITY REQUIREMENT
Test the organizational incident response capability.
ASSESSMENT OBJECTIVE
Determine if the incident response capability is tested.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Incident response policy; contingency planning policy; procedures addressing incident response testing; procedures addressing contingency plan testing; incident response testing material; incident response test results; incident response test plan; incident response plan; contingency plan; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with incident response testing responsibilities; personnel with information security responsibilities; personnel with responsibilities for testing plans related to incident response].
Test: [SELECT FROM: Mechanisms and processes for incident response].

3.7 MAINTENANCE

3.7.1

3.7.1SECURITY REQUIREMENT
Perform maintenance on organizational systems.
ASSESSMENT OBJECTIVE
Determine if system maintenance is performed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].
Test: [SELECT FROM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

3.7.2

3.7.2SECURITY REQUIREMENT
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
ASSESSMENT OBJECTIVE
Determine if:
3.7.2[a]tools used to conduct system maintenance are controlled.
3.7.2[b]techniques used to conduct system maintenance are controlled.
3.7.2[c]mechanisms used to conduct system maintenance are controlled.
3.7.2[d]personnel used to conduct system maintenance are controlled.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System maintenance policy; procedures addressing system maintenance tools and media; maintenance records; system maintenance tools and associated documentation; maintenance tool inspection records; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for approving, controlling, and monitoring maintenance tools; mechanisms supporting or implementing approval, control, and monitoring of maintenance tools; organizational processes for inspecting maintenance tools; mechanisms supporting or implementing inspection of maintenance tools; organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

3.7.3

3.7.3SECURITY REQUIREMENT
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
ASSESSMENT OBJECTIVE
Determine if equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].
Test: [SELECT FROM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

3.7.4

3.7.4SECURITY REQUIREMENT
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
ASSESSMENT OBJECTIVE
Determine if media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

3.7.5

3.7.5SECURITY REQUIREMENT
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
ASSESSMENT OBJECTIVE
Determine if:
3.7.5[a]multifactor authentication is used to establish nonlocal maintenance sessions via external network connections.
3.7.5[b]nonlocal maintenance sessions established via external network connections are terminated when nonlocal maintenance is complete.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System maintenance policy; procedures addressing nonlocal system maintenance; system security plan; system design documentation; system configuration
settings and associated documentation; maintenance records; diagnostic records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing nonlocal maintenance; mechanisms implementing, supporting, and managing nonlocal maintenance; mechanisms for strong authentication of nonlocal maintenance diagnostic sessions; mechanisms for terminating nonlocal maintenance sessions and network connections].

3.7.6

3.7.6SECURITY REQUIREMENT
Supervise the maintenance activities of maintenance personnel without required access authorization.
ASSESSMENT OBJECTIVE
Determine if maintenance personnel without required access authorization are supervised during maintenance activities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System maintenance policy; procedures addressing maintenance personnel; service provider contracts; service-level agreements; list of authorized personnel; maintenance records; access control records; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for authorizing and managing maintenance personnel; mechanisms supporting or implementing authorization of maintenance personnel].

3.8 MEDIA PROTECTION

3.8.1

3.8.1SECURITY REQUIREMENT
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
ASSESSMENT OBJECTIVE
Determine if:
3.8.1[a]paper media containing CUI is physically controlled.
3.8.1[b]digital media containing CUI is physically controlled.
3.8.1[c]paper media containing CUI is securely stored.
3.8.1[d]digital media containing CUI is securely stored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; procedures addressing media access restrictions; access control policy and procedures; physical and environmental protection policy and procedures; system security plan; media storage facilities; access control records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media protection responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for restricting information media; mechanisms supporting or implementing media access restrictions].

3.8.2

3.8.2SECURITY REQUIREMENT
Limit access to CUI on system media to authorized users.
ASSESSMENT OBJECTIVE
Determine if access to CUI on system media is limited to authorized users.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for storing media; mechanisms supporting or implementing secure media storage and media protection].

3.8.3

3.8.3SECURITY REQUIREMENT
Sanitize or destroy system media containing CUI before disposal or release for reuse.
ASSESSMENT OBJECTIVE
Determine if:
3.8.3[a]system media containing CUI is sanitized or destroyed before disposal.
3.8.3[b]system media containing CUI is sanitized before it is released for reuse.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; procedures addressing media sanitization and disposal; applicable standards and policies addressing media sanitization; system security plan; media sanitization records; system audit logs and records; system design documentation; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with media sanitization responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media sanitization; mechanisms supporting or implementing media sanitization].

3.8.4

3.8.4SECURITY REQUIREMENT
Mark media with necessary CUI markings and distribution limitations.
ASSESSMENT OBJECTIVE
Determine if:
3.8.4[a]media containing CUI is marked with applicable CUI markings.
3.8.4[b]media containing CUI is marked with distribution limitations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; procedures addressing media marking; physical and environmental protection policy and procedures; system security plan; list of system media marking security attributes; designated controlled areas; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media protection and marking responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for marking information media; mechanisms supporting or implementing media marking].

3.8.5

3.8.5SECURITY REQUIREMENT
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
ASSESSMENT OBJECTIVE
Determine if:
3.8.5[a]access to media containing CUI is controlled.
3.8.5[b]accountability for media containing CUI is maintained during transport outside of controlled areas.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; procedures addressing media storage; physical and environmental protection policy and procedures; access control policy and procedures; system security plan; system media; designated controlled areas; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media protection and storage responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for storing media; mechanisms supporting or implementing media storage and media protection].

3.8.6

3.8.6SECURITY REQUIREMENT
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVE
Determine if the confidentiality of CUI stored on digital media is protected during transport using cryptographic mechanisms or alternative physical safeguards.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; procedures addressing media transport; system design documentation; system security plan; system configuration settings and associated documentation; system media transport records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media transport responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Cryptographic mechanisms protecting information on digital media during transportation outside controlled areas].

3.8.7

3.8.7SECURITY REQUIREMENT
Control the use of removable media on system components.
ASSESSMENT OBJECTIVE
Determine if the use of removable media on system components is controlled.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media use; mechanisms restricting or prohibiting use of system media on systems or system components].

3.8.8

3.8.8SECURITY REQUIREMENT
Prohibit the use of portable storage devices when such devices have no identifiable owner.
ASSESSMENT OBJECTIVE
Determine if the use of portable storage devices is prohibited when such devices have no identifiable owner.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system configuration settings and associated documentation; system design documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components].

3.8.9

3.8.9SECURITY REQUIREMENT
Protect the confidentiality of backup CUI at storage locations.
ASSESSMENT OBJECTIVE
Determine if the confidentiality of backup CUI is protected at storage locations.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Procedures addressing system backup; system configuration settings and associated documentation; security plan; backup storage locations; system backup logs or records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system backup responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for conducting system backups; mechanisms supporting or implementing system backups].

3.9 PERSONNEL SECURITY

3.9.1

3.9.1SECURITY REQUIREMENT
Screen individuals prior to authorizing access to organizational systems containing CUI.
ASSESSMENT OBJECTIVE
Determine if individuals are screened prior to authorizing access to organizational systems containing CUI.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel screening; records of screened personnel; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with personnel security responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for personnel screening].

3.9.2

3.9.2SECURITY REQUIREMENT
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
ASSESSMENT OBJECTIVE
Determine if:
3.9.2[a]a policy and/or process for terminating system access and any credentials coincident with personnel actions is established.
3.9.2[b]system access and credentials are terminated consistent with personnel actions such as termination or transfer.
3.9.2[c]the system is protected during and after personnel transfer actions.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Personnel security policy; procedures addressing personnel transfer and termination; records of personnel transfer and termination actions; list of system accounts; records of terminated or revoked authenticators and credentials; records of exit interviews; other relevant documents or records].

Interview: [SELECT FROM: Personnel with personnel security responsibilities; personnel with account management responsibilities; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for personnel transfer and termination; mechanisms supporting or implementing personnel transfer and termination notifications; mechanisms for disabling system access and revoking authenticators].

3.10 PHYSICAL PROTECTION

3.10.1

3.10.1SECURITY REQUIREMENT
Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
ASSESSMENT OBJECTIVE
Determine if:
3.10.1[a]authorized individuals allowed physical access are identified.
3.10.1[b]physical access to organizational systems is limited to authorized individuals.
3.10.1[c]physical access to equipment is limited to authorized individuals.
3.10.1[d]physical access to operating environments is limited to authorized individuals.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access authorizations; system security plan; authorized personnel access list; authorization credentials; physical access list reviews; physical access termination records and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with physical access authorization responsibilities; personnel with physical access to system facility; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for physical access authorizations; mechanisms supporting or implementing physical access authorizations].

3.10.2

3.10.2SECURITY REQUIREMENT
Protect and monitor the physical facility and support infrastructure for organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.10.2[a]the physical facility where organizational systems reside is protected.
3.10.2[b]the support infrastructure for organizational systems is protected.
3.10.2[c]the physical facility where organizational systems reside is monitored.
3.10.2[d]the support infrastructure for organizational systems is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access monitoring; system security plan; physical access logs or records; physical access monitoring records; physical access log reviews; other relevant documents or records].

Interview: [SELECT FROM: Personnel with physical access monitoring responsibilities; personnel with incident response responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for monitoring physical access; mechanisms supporting or implementing physical access monitoring; mechanisms supporting or implementing the review of physical access logs].

3.10.3

3.10.3SECURITY REQUIREMENT
Escort visitors and monitor visitor activity.
ASSESSMENT OBJECTIVE
Determine if:
3.10.3[a]visitors are escorted.
3.10.3[b]visitor activity is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

Interview: [SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

3.10.4

3.10.4SECURITY REQUIREMENT
Maintain audit logs of physical access.
ASSESSMENT OBJECTIVE
Determine if audit logs of physical access are maintained.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records; inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

Interview: [SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

3.10.5

3.10.5SECURITY REQUIREMENT
Control and manage physical access devices.
ASSESSMENT OBJECTIVE
Determine if:
3.10.5[a]physical access devices are identified.
3.10.5[b]physical access devices are controlled.
3.10.5[c]physical access devices are managed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing physical access control; system security plan; physical access control logs or records;
inventory records of physical access control devices; system entry and exit points; records of key and lock combination changes; storage locations for physical access control devices; physical access control devices; list of security safeguards controlling access to designated publicly accessible areas within facility; other relevant documents or records].

Interview: [SELECT FROM: Personnel with physical access control responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for physical access control; mechanisms supporting or implementing physical access control; physical access control devices].

3.10.6

3.10.6SECURITY REQUIREMENT
Enforce safeguarding measures for CUI at alternate work sites.
ASSESSMENT OBJECTIVE
Determine if:
3.10.6[a]safeguarding measures for CUI are defined for alternate work sites.
3.10.6[b]safeguarding measures for CUI are enforced for alternate work sites.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Physical and environmental protection policy; procedures addressing alternate work sites for personnel; system security plan; list of safeguards required for alternate work sites; assessments of safeguards at alternate work sites; other relevant documents or records].

Interview: [SELECT FROM: Personnel approving use of alternate work sites; personnel using alternate work sites; personnel assessing controls at alternate work sites; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for security at alternate work sites; mechanisms supporting alternate work sites; safeguards employed at alternate work sites; means of communications between personnel at alternate work sites and security personnel].

3.11 RISK ASSESSMENT

3.11.1

3.11.1SECURITY REQUIREMENT
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
ASSESSMENT OBJECTIVE
Determine if:
3.11.1[a]the frequency to assess risk to organizational operations, organizational assets, and individuals is defined.
3.11.1[b]risk to organizational operations, organizational assets, and individuals resulting from the operation of an organizational system that processes, stores, or transmits CUI is assessed with the defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Risk assessment policy; security planning policy and procedures; procedures addressing organizational risk assessments; system security plan; risk assessment; risk assessment results; risk assessment reviews; risk assessment updates; other relevant documents or records].

Interview: [SELECT FROM: Personnel with risk assessment responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for risk assessment; mechanisms supporting or for conducting, documenting, reviewing, disseminating, and updating the risk assessment].

3.11.2

3.11.2SECURITY REQUIREMENT
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
ASSESSMENT OBJECTIVE
Determine if:
3.11.2[a]the frequency to scan for vulnerabilities in organizational systems and applications is defined.
3.11.2[b]vulnerability scans are performed on organizational systems with the defined frequency.
3.11.2[c]vulnerability scans are performed on applications with the defined frequency.
3.11.2[d]vulnerability scans are performed on organizational systems when new vulnerabilities are identified.
3.11.2[e]vulnerability scans are performed on applications when new vulnerabilities are identified.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; system security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with risk assessment, security assessment and vulnerability scanning responsibilities; personnel with vulnerability scan analysis and remediation responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting or implementing vulnerability scanning, analysis, remediation, and information sharing].

3.11.3

3.11.3SECURITY REQUIREMENT
Remediate vulnerabilities in accordance with risk assessments.
ASSESSMENT OBJECTIVE
Determine if:
3.11.3[a]vulnerabilities are identified.
3.11.3[b]vulnerabilities are remediated in accordance with risk assessments.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; system security plan; security assessment report; vulnerability scanning tools and associated configuration documentation; vulnerability scanning results; patch and vulnerability management records; other relevant documents or records].

Interview: [SELECT FROM: Personnel with risk assessment, security assessment and vulnerability scanning responsibilities; personnel with vulnerability scan analysis responsibilities; personnel with vulnerability remediation responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for vulnerability scanning, analysis, remediation, and information sharing; mechanisms supporting or implementing vulnerability scanning, analysis, remediation, and information sharing].

3.12 SECURITY ASSESSMENT

3.12.1

3.12.1SECURITY REQUIREMENT
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
ASSESSMENT OBJECTIVE
Determine if:
3.12.1[a]the frequency of security control assessments is defined.
3.12.1[b]security controls are assessed with the defined frequency to determine if the controls are effective in their application.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing security assessment planning; procedures addressing security assessments; security assessment plan; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security assessment responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting security assessment, security assessment plan development, and security assessment reporting].

3.12.2

3.12.2SECURITY REQUIREMENT
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.12.2[a]deficiencies and vulnerabilities to be addressed by the plan of action are identified.
3.12.2[b]a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
3.12.2[c]the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security assessment and authorization policy; procedures addressing plan of action; system security plan; security assessment plan; security assessment report; security assessment evidence; plan of action; other relevant documents or records].

Interview: [SELECT FROM: Personnel with plan of action development and implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms for developing, implementing, and maintaining plan of action].

3.12.3

3.12.3SECURITY REQUIREMENT
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
ASSESSMENT OBJECTIVE
Determine if security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security planning policy; organizational procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan].

3.12.4

3.12.4SECURITY REQUIREMENT
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
ASSESSMENT OBJECTIVE
Determine if:
3.12.4[a]a system security plan is developed.
3.12.4[b]the system boundary is described and documented in the system security plan.
3.12.4[c]the system environment of operation is described and documented in the system security plan.
3.12.4[d]the security requirements identified and approved by the designated authority as non-applicable are identified.
3.12.4[e]the method of security requirement implementation is described and documented in the system security plan.
3.12.4[f]the relationship with or connection to other systems is described and documented in the system security plan.
3.12.4[g]the frequency to update the system security plan is defined.
3.12.4[h]system security plan is updated with the defined frequency.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security planning policy; procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan].

3.13 SYSTEM AND COMMUNICATIONS PROTECTION

3.13.1

3.13.1SECURITY REQUIREMENT
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.13.1[a]the external system boundary is defined.
3.13.1[b]key internal system boundaries are defined.
3.13.1[c]communications are monitored at the external system boundary.
3.13.1[d]communications are monitored at key internal boundaries.
3.13.1[e]communications are controlled at the external system boundary.
3.13.1[f]communications are controlled at key internal boundaries.
3.13.1[g]communications are protected at the external system boundary.
3.13.1[h]communications are protected at key internal boundaries.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; enterprise security architecture documentation; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability].

3.13.2

3.13.2SECURITY REQUIREMENT
Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.13.2[a]architectural designs that promote effective information security are identified.
3.13.2[b]software development techniques that promote effective information security are identified.
3.13.2[c]systems engineering principles that promote effective information security are identified.
3.13.2[d]identified architectural designs that promote effective information security are employed.
3.13.2[e]identified software development techniques that promote effective information security are employed.
3.13.2[f]identified systems engineering principles that promote effective information security are employed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Security planning policy; procedures addressing system security plan development and implementation; procedures addressing system security plan reviews and updates; enterprise architecture documentation; system security plan; records of system security plan reviews and updates; system and communications protection policy; procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the system; security architecture documentation; security requirements and specifications for the system; system design documentation; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: Personnel with responsibility for determining information system security requirements; personnel with information system design, development, implementation, and modification responsibilities; personnel with security planning and system security plan implementation responsibilities; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for system security plan development, review, update, and approval; mechanisms supporting the system security plan; processes for applying security engineering principles in system specification, design, development, implementation, and modification; automated mechanisms supporting the application of security engineering principles in information system specification, design, development, implementation, and modification].

3.13.3

3.13.3SECURITY REQUIREMENT
Separate user functionality from system management functionality.
ASSESSMENT OBJECTIVE
Determine if:
3.13.3[a]user functionality is identified.
3.13.3[b]system management functionality is identified.
3.13.3[c]user functionality is separated from system management functionality.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; system design documentation; system configuration settings and associated documentation; system security plan; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Separation of user functionality from system management functionality].

3.13.4

3.13.4SECURITY REQUIREMENT
Prevent unauthorized and unintended information transfer via shared system resources.
ASSESSMENT OBJECTIVE
Determine if unauthorized and unintended information transfer via shared system resources is prevented.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing application partitioning; system security plan; system design documentation; system
configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Separation of user functionality from system management functionality].

3.13.5

3.13.5SECURITY REQUIREMENT
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
ASSESSMENT OBJECTIVE
Determine if:
3.13.5[a]publicly accessible system components are identified.
3.13.5[b]subnetworks for publicly accessible system components are physically or logically separated from internal networks.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system security plan; list of key internal boundaries of the system; system design documentation; boundary protection hardware and software; system configuration settings and associated documentation; enterprise security architecture documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability].

3.13.6

3.13.6SECURITY REQUIREMENT
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
ASSESSMENT OBJECTIVE
Determine if:
3.13.6[a]network communications traffic is denied by default.
3.13.6[b]network communications traffic is allowed by exception.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing traffic management at managed interfaces].

3.13.7

3.13.7SECURITY REQUIREMENT
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
ASSESSMENT OBJECTIVE
Determine if remote devices are prevented from simultaneously establishing non-remote connections with the system and communicating via some other connection to resources in external networks (i.e., split tunneling).
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing boundary protection; system security plan; system design documentation; system hardware and software; system architecture; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with boundary protection responsibilities].
Test: [SELECT FROM: Mechanisms implementing boundary protection capability; mechanisms supporting or restricting non-remote connections].

3.13.8

3.13.8SECURITY REQUIREMENT
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
ASSESSMENT OBJECTIVE
Determine if:
3.13.8[a]cryptographic mechanisms intended to prevent unauthorized disclosure of CUI are identified.
3.13.8[b]alternative physical safeguards intended to prevent unauthorized disclosure of CUI are identified.
3.13.8[c]either cryptographic mechanisms or alternative physical safeguards are implemented to prevent unauthorized disclosure of CUI during transmission.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing transmission confidentiality and integrity; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Cryptographic mechanisms or mechanisms supporting or implementing transmission confidentiality; organizational processes for defining and implementing alternative physical safeguards].

3.13.9

3.13.9SECURITY REQUIREMENT
Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
ASSESSMENT OBJECTIVE
Determine if:
3.13.9[a]a period of inactivity to terminate network connections associated with communications sessions is defined.
3.13.9[b]network connections associated with communications sessions are terminated at the end of the sessions.
3.13.9[c]network connections associated with communications sessions are terminated after the defined period of inactivity.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing network disconnect; system design documentation; system security plan; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Mechanisms supporting or implementing network disconnect capability].

3.13.10

3.13.10SECURITY REQUIREMENT
Establish and manage cryptographic keys for cryptography employed in organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.13.10[a]cryptographic keys are established whenever cryptography is employed.
3.13.10[b]cryptographic keys are managed whenever cryptography is employed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic key establishment and management; system security plan; system design documentation; cryptographic mechanisms; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for cryptographic key establishment and management].
Test: [SELECT FROM: Mechanisms supporting or implementing cryptographic key establishment and management].

3.13.11

3.13.11SECURITY REQUIREMENT
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
ASSESSMENT OBJECTIVE
Determine if FIPS-validated cryptography is employed to protect the confidentiality of CUI.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing cryptographic protection; system security plan; system design documentation; system configuration settings and associated documentation; cryptographic module validation certificates; list of FIPS-validated cryptographic modules; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with responsibilities for cryptographic protection].
Test: [SELECT FROM: Mechanisms supporting or implementing cryptographic protection].

3.13.12

3.13.12SECURITY REQUIREMENT
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
ASSESSMENT OBJECTIVE
Determine if:
3.13.12[a]collaborative computing devices are identified.
3.13.12[b]collaborative computing devices provide indication to users of devices in use.
3.13.12[c]remote activation of collaborative computing devices is prohibited.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing collaborative computing; access control policy and procedures; system security plan; system design documentation; system audit logs and records; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer; personnel with responsibilities for managing collaborative computing devices].
Test: [SELECT FROM: Mechanisms supporting or implementing management of remote activation of collaborative computing devices; mechanisms providing an indication of use of collaborative computing devices].

3.13.13

3.13.13SECURITY REQUIREMENT
Control and monitor the use of mobile code.
ASSESSMENT OBJECTIVE
Determine if:
3.13.13[a]use of mobile code is controlled.
3.13.13[b]use of mobile code is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing mobile code; mobile code usage restrictions, mobile code implementation policy and procedures; system audit logs and records; system security plan; list of acceptable mobile code and mobile code technologies; list of unacceptable mobile code and mobile technologies; authorization records; system monitoring records; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing mobile code].
Test: [SELECT FROM: Organizational process for controlling, authorizing, monitoring, and restricting mobile code; mechanisms supporting or implementing the management of mobile code; mechanisms supporting or implementing the monitoring of mobile code].

3.13.14

3.13.14SECURITY REQUIREMENT
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
ASSESSMENT OBJECTIVE
Determine if:
3.13.14[a]use of Voice over Internet Protocol (VoIP) technologies is controlled.
3.13.14[b]use of Voice over Internet Protocol (VoIP) technologies is monitored.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing VoIP; VoIP usage restrictions; VoIP implementation guidance; system security plan; system design documentation; system audit logs and records; system configuration settings and associated documentation; system monitoring records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel with responsibilities for managing VoIP].
Test: [SELECT FROM: Organizational process for authorizing, monitoring, and controlling VoIP; mechanisms supporting or implementing authorizing, monitoring, and controlling VoIP].

3.13.15

3.13.15SECURITY REQUIREMENT
Protect the authenticity of communications sessions.
ASSESSMENT OBJECTIVE
Determine if the authenticity of communications sessions is protected.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing session authenticity; system security plan; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Mechanisms supporting or implementing session authenticity].

3.13.16

3.13.16SECURITY REQUIREMENT
Protect the confidentiality of CUI at rest.
ASSESSMENT OBJECTIVE
Determine if the confidentiality of CUI at rest is protected.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and communications protection policy; procedures addressing protection of information at rest; system security plan; system design documentation; list of information at rest requiring confidentiality protections; system configuration settings and associated documentation; cryptographic mechanisms and associated configuration documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; system developer].
Test: [SELECT FROM: Mechanisms supporting or implementing confidentiality protections for information at rest].

3.14 SYSTEM AND INFORMATION INTEGRITY

3.14.1

3.14.1SECURITY REQUIREMENT
Identify, report, and correct system flaws in a timely manner.
ASSESSMENT OBJECTIVE
Determine if:
3.14.1[a]the time within which to identify system flaws is specified.
3.14.1[b]system flaws are identified within the specified time frame.
3.14.1[c]the time within which to report system flaws is specified.
3.14.1[d]system flaws are reported within the specified time frame.
3.14.1[e]the time within which to correct system flaws is specified.
3.14.1[f]system flaws are corrected within the specified time frame.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; system security plan; list of flaws and vulnerabilities potentially affecting the system; list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws); test results from the installation of software and firmware updates to correct system flaws; installation/change control records for security-relevant software and firmware updates; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for flaw remediation; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for identifying, reporting, and correcting system flaws; organizational process for installing software and firmware updates; mechanisms supporting or implementing reporting, and correcting system flaws; mechanisms supporting or implementing testing software and firmware updates].

3.14.2

3.14.2SECURITY REQUIREMENT
Provide protection from malicious code at designated locations within organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.14.2[a]designated locations for malicious code protection are identified.
3.14.2[b]protection from malicious code at designated locations is provided.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; records of malicious code protection updates; malicious code protection mechanisms; system security plan; system configuration settings and associated documentation; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; scan results from malicious code protection mechanisms; system design documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing employing, updating, and configuring malicious code protection mechanisms; mechanisms supporting or implementing malicious code scanning and subsequent actions].

3.14.3

3.14.3SECURITY REQUIREMENT
Monitor system security alerts and advisories and take action in response.
ASSESSMENT OBJECTIVE
Determine if:
3.14.3[a]response actions to system security alerts and advisories are identified.
3.14.3[b]system security alerts and advisories are monitored.
3.14.3[c]actions in response to system security alerts and advisories are taken.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts, advisories, and directives; system security plan; records of security alerts and advisories; other relevant documents or records].

Interview: [SELECT FROM: Personnel with security alert and advisory responsibilities; personnel implementing, operating, maintaining, and using the system; personnel, organizational elements, and external organizations to whom alerts, advisories, and directives are to be disseminated; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives; mechanisms supporting or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives; mechanisms supporting or implementing security directives].

3.14.4

3.14.4SECURITY REQUIREMENT
Update malicious code protection mechanisms when new releases are available.
ASSESSMENT OBJECTIVE
Determine if malicious code protection mechanisms are updated when new releases are available.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system security plan; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing malicious code protection mechanisms (including updates and configurations); mechanisms supporting or implementing malicious code scanning and subsequent actions].

3.14.5

3.14.5SECURITY REQUIREMENT
Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
ASSESSMENT OBJECTIVE
Determine if:
3.14.5[a]the frequency for malicious code scans is defined.
3.14.5[b]malicious code scans are performed with the defined frequency.
3.14.5[c]real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; system security plan; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing malicious code protection mechanisms (including updates and configurations); mechanisms supporting or implementing malicious code scanning and subsequent actions].

3.14.6

3.14.6SECURITY REQUIREMENT
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
ASSESSMENT OBJECTIVE
Determine if:
3.14.6[a]the system is monitored to detect attacks and indicators of potential attacks.
3.14.6[b]inbound communications traffic is monitored to detect attacks and indicators of potential attacks.
3.14.6[c]outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: System and information integrity policy; procedures addressing system monitoring tools and techniques; continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring tools and techniques; facility diagram or layout; system security plan; system monitoring tools and techniques documentation; system design documentation; locations within system where monitoring devices are deployed; system protocols; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility monitoring the system; personnel with responsibility for the intrusion detection system].
Test: [SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or implementing intrusion detection capability and system monitoring; mechanisms supporting or implementing system monitoring capability; organizational processes for intrusion detection and system monitoring; mechanisms supporting or implementing the monitoring of inbound and outbound communications traffic].

3.14.7

3.14.7SECURITY REQUIREMENT
Identify unauthorized use of organizational systems.
ASSESSMENT OBJECTIVE
Determine if:
3.14.7[a]authorized use of the system is defined.
3.14.7[b]unauthorized use of the system is identified.
POTENTIAL ASSESSMENT METHODS AND OBJECTS
Examine: [SELECT FROM: Continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring tools and techniques; facility diagram/layout; system security plan; system design documentation; system monitoring tools and techniques documentation; locations within system where monitoring devices are deployed; system configuration settings and associated documentation; other relevant documents or records].

Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for monitoring the system].
Test: [SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or implementing system monitoring capability].
catalog/800-171a.txt · Last modified: 2020/12/08 22:05 by btharp